10 minute hack to php oauth and slim framework

I am sampling a few different technologies for creation of a new web services and the php micro framework slim comes up all over Google so I figured I would give it a try. Everything is pretty simple to get rolling. Make sure you get the .htaccess file out of the source zip if your OS hides it from you. Within minutes you have a RESTful framework. At the time of this writing 1.5 is the stable. The next version 1.6 is supposed to have even more bells and whistles.

Here is an example from Slim website:

require 'Slim/Slim.php';  
$app = new Slim();  
$app->get('/hello/:name', function ($name) { echo "Hello, $name!"; });
That is it … you now have an endpoint. It was more technically challenging to find the documents than it was to create the first endpoint.
So, cool you can do cool stuff with this, like make it say hello world (assuming your name was world. But I wanted Oauth integrated into it while I watched Moneyball.
Naturally, I could rely on code.google.com to have the oauth code available: http://code.google.com/p/oauth/
I only needed 2leg authentications so my world was a little easier. Here is the code to get it working in …… 45 seconds. .. It it not pretty, and yes unicorns died because I used globals.
require ('oath.php');
function require_auth()

	global $dbmain;
	$method = $_SERVER['REQUEST_METHOD'];
    $uri = 'http://'.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
    if (array_key_exists('oauth_consumer_key',$_REQUEST))
		// get secret
		$sql="select consumer_secret,uid from `w_user` where consumer_key='" . $dbmain->real_escape_string($_REQUEST['oauth_consumer_key']) ."'";
		$result = $dbmain->query($sql);
 		$data = $result->fetch_object();     
	    if (array_key_exists('oauth_signature',$_REQUEST))
   		 	$key = $_REQUEST['oauth_consumer_key'];
			$secret = $data->consumer_secret;
			$consumer = new OAuthConsumer($key, $secret);
			$sig_method = new OAuthSignatureMethod_HMAC_SHA1;

    		$sig = $_REQUEST['oauth_signature'];    
    		$req = new OAuthRequest($method, $uri);
    		$valid = $sig_method->check_signature( $req, $consumer, null, $sig );
        header('HTTP/1.1 401 Unauthorized', true, 401);
        die('HTTP/1.1 401 Unauthorized');
    	return $data->uid;


Bammmm – so now I have my super quick function that checks the oath signature and if it doesn’t pass it tells the people to GTFO.
Some of my end points are public and some are private. For the public ones, I just left them alone. For the private ones, I just add at the top of the handling function:
$id=require_auth(); //if it fails it will die and give a 401 GTFO
//if not the id key will be returned.
There are several other check that need to be put in place and prepared statements should be used but as a proof of concept I am happy.
A final example of my quick example is:
$app->get('/user/', function () {
	global $dbmain; //another unicorn, going to eat magical meat tonight
	$sql="select first_name, last_name, email_address, default_phone from w_user where uid='" . $id . "'"; 


	while($row = $result->fetch_object()) {
       $tempArray = $row;
        array_push($json_holder, $tempArray);
    echo json_encode($json_holder);

Comments are closed.