I'm working on a tiny social media project as backend developer.
The only external library I used was FlightPHP as a routing micro framework to implement RESTful JSON API.
I decided to implement my own simple authentication system as:
1- Client sends the phone number to /send_sms and the endpoint generates a random 6-digits code, Sends the code via SMS and stores the code into a specific column in database.
2- Client sends the phone number along received code to /authenticate and if phone number and code match in database، a long random hash is sent back as a bearer_token. The generated bearer_token is stored into a specific column in database and overrides previous one (if any).
3- Client starts interacting with common endpoints such as /timeline provided that it supplies """ Auth: bearer_token """ as an HTTP header along with the request. These endpoints will look database for the bearer_token and match it with the phone number. If successful, the rest of endpoint's job will be executed.
Is there any great pitfall in my design?
I have implemented the design via flat PHP; Is there any external library to ease or secure the implementation? I have heared about OAuth, Is it sth I need?
Aucun commentaire:
Enregistrer un commentaire