I still don’t understand how the authentication works. I have an android app that needs to call my API and Login but Yii2 authentication method ask for the auth_key or token. I don’t have that information in the first login. Don’t I need to do something like:
You don`t need to pay, because Yii2 is open source and much precious than your doubts.
Just you need to explain detail about your application like
Are you handling same database for your android application and web application (means it is web services based or not).
Clarify your database structure with Yii2 advanced application user table and go through User model that generated automatically in app(how auth works in yii2 app, it is session based).
Password is visible in URL. You can resolve this by sending HTTP POST request and not GET request
If you are implementing REST API, then NO LOGIN OR SESSION should be created. Instead, your mobile application should send a TOKEN. TOKEN a token should be unique value, and it should be generated for every customer. When you mobile application contacts the REST API, it should send the TOKEN. When your application receives a token, then your application should check whether the token is valid and whether TOKEN exists. If yes, then send to mobile app the data it requested, if not, return error message.
Guys thanks for the tips and sorrry for being frustrated. I’m getting somewhere.
Now the authentication works but I’m not being able to retrieve the token so for every request that I make, I need to send the user credentials via HttpBasicAuth. This is my behavior:
and I have implemented the findIdentityByAccessToken in my common/models/User
So now the next step would be retrieving the token or if there is no token, create one so next request I would just send the token and not the entire user credentials all the time. Am I thinking correctly? If so, any clue in how to proceed next?
Every phone should just send you a token. Token can be any unique string like: abbsdikiwo123!akksdjjawe.
When your phone sends a token, you have to check whether token exists, and if yes, then token is valid and user can execute your API function, otherwise, you should print error message.
You don’t need any HTTP Auth methods to implement this.