A simple token authentication / custom JSON api enabling plugin.
Clone this repo into craft/plugins/tokenauth
.
public/index.php
needs
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Headers: Authorization");
at the top. // TODO: make it so only API files need this
Apache users also need to add the following to their public/.htaccess
file
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
because Apache currently removes the header if it's not base46 encoded username:password.
{% requireJwt %}
Template requires a valid JWT token (sent as the Authorization header Authorization: Bearer [jwt]
) to access / use.
{% tokenAuthLogin %}
Turn template into a login point. POSTing a loginName
and password
will return a JWT, or error if one occurs.
Attempting to access the template via non-POST means will result in a 400 error.
Ideally you'll want your login route SSL'd as (at the moment) you have to send the password as plain text.
{% tokenAuthPost %}
Catch-all POST request handler. Routes requests according to their specified action (act
in the post request).
Will throw a 400 error if not accessed via POST. Requires a valid JWT in the Authorization header.
You can use the same forms as you would on the front-end of a Craft site, except you'll need to switch out the action
input for ```act``.
{% returnJson %}
Sets the Content-Type header to application/json.
{% requireJwt %}
{% returnJson %}
{% set data = {'tokenValid':'true'} %}
{{ data|json_encode()|raw }}
- Make it just generally less shit.
- Test with CORS / CSRF (currently only tested with CSRF disabled)