Securing Symfony RESTful API consumed by angular front?

1k views Asked by At

I have set up a Symfony based API which is being used by an Angular front end which is totally dependent of it (User registration included)

I have read multiple threads recommending using WSSE or FOSOAuthServerBundle but I'm not sure about the best method ?

If I understood correctly, WSSE has to send for each API request x-wsse headers which make me think it is not the best suited for performance.

About the FOSAuthServerBundle I have never used it and looks a bit complicated to me compared to WSSE, thus that's why I'm asking there before trying to implement it.

I have 2 simple groups of user (basic and admin), what would be the best way to secure my API, additionally providing an easy way to keep user persistence (I mean accesses through the different pages)?

How should it be in the Angular front side ?

Thanks for your help.

Refs: http://blog.tankist.de/blog/2013/07/16/oauth2-explained-part-1-principles-and-terminology/

http://obtao.com/blog/2013/06/configure-wsse-on-symfony-with-fosrestbundle/

1

There are 1 answers

4
Bart Van Remortele On BEST ANSWER

It all depends on what your requirements are.

First of all, OAuth 2 is an authentication mechanism/spec which you can use in combination with sessions/bearer tokens/... This also applies for local accounts (since you want to do user registration).

FOSAuthServerBundle is a bundle to implement the server-side of the OAuth2 specification. This basically means you can expose your OAuth2 side of the API to other applications and allow them to use your accounts to authenticate. Think google login, twitter login, etc but for your own app.

This all has nothing to do with the way you validate / authorize your requests after the initial login has taken place.

Do you want to implement stateless authentication? Then I would recommend using the new JSON Web Token (JWT) specification.

See Symfony Bundle (LexikJWTAuthenticationBundle) and JWT description (JWT.io)

There are many resources on it from the angular side of things and the API part is pretty straightforward.

WSSE does not seem suited to implement in a RESTful API and I have no experience using/implementing it so I cannot comment on it too much.