Authenticate with OAuth7:26 with Alena Holligan
We're going to set up token based authentication for our application. The application asks to share specific information between the sites. When the user chooses to grant permission, a token is stored on their machine. This will allow users to connect their GitHub account to our application.
MAKE SURE that the $appUrl does NOT end with a slash
More About Sessions
Sessions are a way to make data accessible across your entire website. A session creates a file in a temporary directory on your websites web server. This data will be available to all pages on the site during that visit.
When a session is started following things happen:
PHP first creates a unique identifier for that particular session which is a random string of 32 hexadecimal numbers such as 4j7foj34c3jc373hjkop2fc937e3253.
A cookie called PHPSESSID is automatically sent to the user's computer to store unique session identification string.
A file is automatically created on the server in the designated temporary directory and bears the name of the unique identifier prefixed by sess_ ie sess_34j7foj34c3jc373hjkop2fc937e3253.
When a PHP script wants to retrieve the value from a session variable, PHP automatically gets the unique session identifier string from the PHPSESSID cookie and then looks in its temporary directory for the file bearing that name and a validation can be done by comparing both values.
A session ends when the user closes the browser. The server will also terminate the session after a predetermined period of time, commonly 30 minutes.
Why would I want a GitHub account?
Because GitHub is the social network of developers. Having started as a developer’s collaborative platform, GitHub is now the largest online storage space of collaborative works that exists in the world. It's the place where you will start contributing to open source, sharing projects and allowing others to see your work. If you are looking to build a career as a developer, GitHub can be an extremely important resource.
What happens if a user does NOT grant permission to share data?
They can either choose the back button or "Visit application’s website" which takes them to the $appUrl you entered. If a user does not grant permission, they only have access to the home page. We could allow users, who are not authenticated, to search and view repositories without the ability to watch/un-watch.
Removing the Token
The token is stored in session storage. If you need to remove the token for any reason, you can drop it by Login::dropToken() or $login->dropToken()
We're going to be setting up token based authentication for our application. 0:00 This will allow users to connect their GitHub account. 0:04 We need to provide authentication so that a user can watch and unwatch repose. 0:07 The first step, is to authorize our application with GitHub. 0:13 To do this, you'll need a GitHub account and the applications URL. 0:16 If you don't have a GitHub account, make sure you register now. 0:21 To get the applications URL, we'll preview our site in a browser and 0:25 pull the URL associated with that workspace. 0:30 Copy the URL and open GitHub. 0:33 Go to Settings and then Developer settings OAuth applications. 0:37 Register a new application. 0:44 For the homepage URL, paste in the URL from the workspace making sure 0:46 that it starts with HTTP and does not end with a forward slash. 0:52 Then in the authorization callback URL, 0:57 we'll use the same URL followed by inc/authenticate.php. 1:02 You can use whatever you want in the application name. 1:10 After registering your application, you'll be given a client ID and 1:20 client secret that will be using for our application. 1:23 Let's go back to work spaces and create our authenticate file. 1:27 New folder inc and a new file authenticate.php. 1:36 We start by requiring our autoload file. 1:48 We're going to be using this authenticate file as both a standalone and 1:50 an include file. 1:54 So we use the require_once. 1:55 We're going to store our token in a session. 2:06 So, we need to start a session. 2:09 Then we need three pieces of information to connect our app to GitHub. 2:13 The appUrl. 2:18 Which is the same workspace URL we pasted into GitHub. 2:23 The clientId, And the clientSecret. 2:30 These are the pieces of information we've received from GitHub. 2:39 Now we can set up the objects that we'll need. 2:55 We'll start with config. 2:59 OAuth\Configuration. 3:07 And we'll pass the clientId and the clientSecret. 3:11 We also passed the array of permissions that we need. 3:18 User and repo. 3:24 Next, we set up storage to use session storage. 3:28 Then we can add the log in. 3:41 We pass the config and the storage. 3:54 And finally we can add the API object. 4:00 Now we can use those objects to get and set a token. 4:10 If login hasToken 4:15 Then the token will equal login, getToken. 4:22 And then we can add that to our API. 4:31 setToken equal to token. 4:34 Else, we're going to direct the user to authenticate with GitHub. 4:42 From there they'll be redirected directly to this script. 4:46 We'll use a GIT variable to know which point in the transaction we are and 4:50 to know which page to show them after they authenticate. 4:54 If, isset, GET redirect. 5:00 At this point we're ready to obtain the token. 5:10 Login, obtain token. 5:15 And we'll get a code. 5:21 And a state, that GitHub passes. 5:27 Else. 5:51 We need to ask permissions. 5:53 Log in. 5:56 Ask permissions. 5:58 We passed the appUrl/inc/authenticate.php and 6:03 then the redirect. 6:10 We want to redirect to the page that they were on before they were asked to 6:16 authenticate. 6:20 We do this using SERVER('REQUEST_URI'). 6:22 Let's add this file to our search page. 6:37 We also need to remove the API initialization since our authenticate file 6:51 is handling that now. 6:55 We're ready to give this a try in the browser. 6:59 We're asked to authorize the application to connect to GitHub. 7:08 Once we approve the authorization, we're redirected to our application. 7:15 Great. 7:20 Now we can add our final feature that requires permission from the user. 7:21
You need to sign up for Treehouse in order to download course files.Sign up