Mobile Authentication with Access Tokens

[khan-umer]

Hello everybody,

as per the documentation Mobile Authentication with Access Tokens
I'm able to authenticate my Api using access token with postman application.

but if access token is not provided or invalid token is given then it response with status 200 with Login view.
I think for Api it should respond with error like unauthorize access or something like this.

maybe I'm missing some concept for Mobile Authentication with Access Tokens. if any please help me by leave some reference here.
if it's ok, then how to handle such case for mobile Api

[datamweb]

I think for Api it should respond with error like unauthorize access or something like this.

In this regard, I agree with you. In my opinion, necessary changes should be made.

Also, this issue was previously raised by @jozefrebjak in #433 .

I personally followed up to make a change, but unfortunately I did not receive an answer.
Currently, the only solution is to copy filter TokenAuth and make desired changes.

shield/src/Filters/TokenAuth.php

Lines 51 to 53 in 84a4f31

	if (! $result->isOK() || (! empty($arguments) && $result->extraInfo()->tokenCant($arguments[0]))) {
	return redirect()->to('/login');
	}

[jozefrebjak]

@datamweb @khan-umer Here is my working filter for api routes:

<?php

declare(strict_types=1);

namespace Modules\Api\Rest\V1\Filters;

use CodeIgniter\Exceptions\PageNotFoundException;
use CodeIgniter\Filters\FilterInterface;
use CodeIgniter\HTTP\IncomingRequest;
use CodeIgniter\HTTP\RequestInterface;
use CodeIgniter\HTTP\Response;
use CodeIgniter\HTTP\ResponseInterface;

class ApiFilter implements FilterInterface
{
    /**
     * @param array|null $arguments
     *
     * @return Response|void
     */
    public function before(RequestInterface $request, $arguments = null)
    {
        if (! $request instanceof IncomingRequest) {
            return;
        }

        if (! config('RestApi')->enabled) {
            throw PageNotFoundException::forPageNotFound();
        }

        helper(['auth', 'setting']);

        $uri      = $request->getUri();
        $segments = $uri->getSegments();

        if (in_array('api', $segments, true)) {
            $validCreds = auth('tokens')->check([
                'token' => $request->getHeaderLine(setting('Auth.authenticatorHeader')['tokens'] ?? 'Authorization'),
            ]);

            if (! $validCreds->isOK()) {
                $response = service('response');
                $response->setStatusCode(401, 'unauthorized');
                $response->setJSON([
                    'status'  => false,
                    'message' => lang('Api.invalidToken'),
                ]);

                return $response;
            }
        }
    }

    public function after(RequestInterface $request, ResponseInterface $response, $arguments = null): void
    {
    }
}

it's added as alias to global filters, and then just protecting api routes like:

$routes->group(
    'api/rest/v1/',
    [
        'namespace' => 'Modules\Api\Rest\V1\Controllers',
        'filter'    => 'rest-api',
    ],
    static function ($routes): void {
   // API ROUTES
    }
);

[datamweb]

Thanks for sharing, I hope it is useful enough for users.

[khan-umer]

@jozefrebjak Thanks for sharing code snippet, but for api routes we already using Auth filter name tokens as shown here
$routes->group('api/v1/', ["filter" => "tokens"], static function ($routes) { $routes->resource('dev', ['except' => 'index,new','edit']); });

please correct me, if I'm wrong.
your rest-api filter seems good but as per my understanding there no use of shield's tokens filter. because of creating new filter.