This article covers the basic authorization of a Server Side application built using DotKernel API
Protecting an endpoint
- no-auth: the resource can be accessed without the need of authentication/authorization
- authentication: the resource can be accessed only by authenticated users
- authorization: the resource can be accessed only by authenticated AND authorized users
config/autoload/authorization.local.php
NOTE If this file is missing from your application, locate it's dist file:You should look for the array inside this config key:config/autoload/authorization.local.php.distand copy-paste it as the above-mentionedconfig/autoload/authorization.local.php
zend-expressive-authorization-rbac
'zend-expressive-authorization-rbac' => ,
'member' => ,
'guest' => ,
],
'permissions' => ,
],
]
Under the key roles you can define role inheritance. In the above example
- admin inherits from no other role
'admin' => []
- member inherits from admin
'member' =>
- guest inherits from member
'guest' =>
1. No-auth endpoints:
These endpoints can be accessed without authentication/authorization. Examples could be: login, register, contact etc... Creating a route for such an endpoint will use only the handler(s) responsible for returning the content:
$app->get('/users', UserHandler::class, 'users');
2. Endpoints requiring Authentication:
These endpoints can be accessed only if a validBearer token is present in the request headers. Else, the API will return a **401 Unauthorized** response. Creating a route for such an endpoint will have a structure similar to the following example:
$app->get('/users', , 'users');
3. Endpoints requiring Authorization:
These endpoints can be accessed only if a valid Bearer token is present in the request headers. Else, the API will return a **403 Forbidden** response. Creating a route for such an endpoint will have a structure similar to the following example:
$app->get('/users', , 'users');