Share My Creation User Login + MySQL PHP API

Web API

Updates:
For B4J API Server and cross platform client apps, please check [B4X] User Login App + [B4J] MySQL API Server (Key + Token) https://www.b4x.com/android/forum/threads/b4x-user-login-app-b4j-mysql-api-server-key-token.126081/

Android App

This is the 3rd version of login example I share in this forum.

The first version I shared when I started learning B4A is just a very simple login app.
Http Login example using HttpUtils2

Later, I have shared a tutorial in Code Snippet title:
Register User example using OKHttpUtils2

Both of the samples I shared are using very simple PHP with mysql_query function. I have later updated the 2nd sample with mysqli since mysql functions are deprecated in PHP.

Recently I am thinking to update the sample project with what I have learned in this few years. I have seen some members here are still using mysqli but I want to introduce the use of PDO in PHP. The sample I shared here is just intended for learning purpose. Anyone are welcome to extend it to become a production ready and more powerful app. For example, In my real app, I have a function to upload profile photo. I remove the feature to leave it to members here to find out how to do it. The answer is in this forum and the Internet.

In my previous code snippet, I use 6 digit security code but in this latest version, I have used a 32 characters MD5 string for the code in email confirmation.

The PHP app I share here is a cut down version of PHP backend I use in production. It is based on MVC concept where it provides a web application front-end and includes php session and some other security. I think I don't need to share much on the "View" part of the MVC. I just modified it to become the "API" to consume by the B4A app. However, I use the View part to show a documentation on how to use the API as you can see in the screenshots. For the "Model" part, I only include "User" and "Password". It is easy to extend to more models. For example, I could have add "Driver" and "Order" model for the e-hailing app or "Student" and "Courses" models to my e-learning app.

 

[aeric]

In the app the password should first be hashed + salt, then sent to the api and then hashed + salt again.

Yes, this is what I normally do but I don't want to make this "starter" project to be more complex at this point.
I want this app easy to get started by beginner and easy to extend more features.

You mean the e-mail confirmation?

Yes, I think this part is not necessary at some point.
The reason I include this feature is explain next.

---

This is the 3rd version of login example I share in this forum.

The first version I shared when I started learning B4A is just a very simple login app.
Http Login example using HttpUtils2

Later, I have shared a tutorial in Code Snippet title:
Register User example using OKHttpUtils2

Both of the samples I shared are using very simple PHP with mysql_query function. I have later updated the 2nd sample with mysqli since mysql functions are deprecated in PHP.

Recently I am thinking to update the sample project with what I have learned in this few years. I have seen some members here are still using mysqli but I want to introduce the use of PDO in PHP. The sample I shared here is just intended for learning purpose. Anyone are welcome to extend it to become a production ready and more powerful app. For example, In my real app, I have a function to upload profile photo. I remove the feature to leave it to members here to find out how to do it. The answer is in this forum and the Internet.

This tutorial is quite outdated. I am planning to upload a new one with a more advanced yet simple php backend web api.

In my previous code snippet, I use 6 digit security code but in this latest version, I have used a 32 characters MD5 string for the code in email confirmation.

The PHP app I share here is a cut down version of PHP backend I use in production. It is based on MVC concept where it provides a web application front-end and includes php session and some other security. I think I don't need to share much on the "View" part of the MVC. I just modified it to become the "API" to consume by the B4A app. However, I use the View part to show a documentation on how to use the API as you can see in the screenshots. For the "Model" part, I only include "User" and "Password". It is easy to extend to more models. For example, I could have add "Driver" and "Order" model for the e-hailing app or "Student" and "Courses" models to my e-learning app.

 

[TILogistic]

In the future, I could add a framework.

Example:

Laravel
Slim
Lumen
Symfony.
Leaf
Etc....

I have seen forum members who already use a known framework.

regards,

 

[aeric]

Example:

Data Transfer between B4X and WEB API.

Also transfer of images in Base64 format.

NOTE:
The valid time of the token is one day (24 hours)

To show this example

Regards.

How do you implement it? Do you use Cron job?

 

[aeric]

¿What?

transfer of images in Base64 format.

or

The valid time of the token is one day (24 hours)

The token expiry.

 

[aeric]

Okay. Wait for your sharing.

All the example I posted was using Slim framework with token.

 

[OliverA]

The token expiry

The following book http://shop.oreilly.com/product/9781565925670.do
has a really good implementation of a ticket/token system. I know, it’s Perl, but the book explains the mechanism well enough that it could/can be implemented in other languages. You’ll start noticing the similarities to JSON Web Tokens, except this was written way before then. I know it’s a book that costs money, but it often can be found cheaply as a used book

 

[aeric]

I'm going to look for the backups and and I send it to you

Delete the example when I saw you were on the same target.

You can share your version. Different people have different way to implement similar solutions.

 

[Biswajit]

I usually use Laravel for creating backend and REST API. It has inbuilt API throttling mechanism, password hashing, CORS, AES encryption, auto pagination and so many functionalities. The best thing I like is Eloquent ORM. And one of the best thing about Eloquent is that if you setup db models correctly then it will auto fetch all inner linked data. For example, if you fetch a product from product table then you can access its category data, images from another table, no need to write another query for those. And its easy to add JWT authentication for login via API.

And if your API is for 2000+ concurrent users then I would recommend to use Lumen which is a micro framework of Laravel.

 

[aeric]

The following book http://shop.oreilly.com/product/9781565925670.do
has a really good implementation of a ticket/token system. I know, it’s Perl, but the book explains the mechanism well enough that it could/can be implemented in other languages. You’ll start noticing the similarities to JSON Web Tokens, except this was written way before then. I know it’s a book that costs money, but it often can be found cheaply as a used book

I have studied a bit on Perl a few years ago but it is not a friendly language to learn. PHP is still my favourite. I also found JWT not easy too. I wish I could found an easy tutorial on how to implement JWT. That’s why I created my own way for the token or authentication in my app.

 

[Biswajit]

I also found JWT not easy too. I wish I could found an easy tutorial on how to implement JWT

I have a project which has JWT authentication. I will try to clean all other stuff and post in this forum.

 

[aeric]

I usually use Laravel for creating backend and REST API. It has inbuilt API throttling mechanism, password hashing, CORS, AES encryption, auto pagination and so many functionalities. The best thing I like is Eloquent ORM. And one of the best thing about Eloquent is that if you setup db models correctly then it will auto fetch all inner linked data. For example, if you fetch a product from product table then you can access its category data, gallery images from another table, no need to write another query for those. And its easy to add JWT authentication for login via API.

And if your API is for 2000+ concurrent users then I would recommend to use Lumen which is a micro framework of Laravel.

Yes framework like Laravel is powerful and elegant. However I found it has too much overhead and encapsulated. I follow some tutorials and stuck on some where to understand how the things work. Maybe it is good for project with high concurrent users. I wish I can get such big project too.

 

[aeric]

I have a project which has JWT authentication. I will try to clean all other stuff and post in this forum.

Great. I hope I can use it in the future. Thanks!

 

[Biswajit]

My server has more than 3000 requests per second.

Data transfer between GPS devices and Server.

and I use Slim Framework.

Great. Though 3000 request per second and 3000 concurrent users are not same. A single user can hit the server more than one time per second. And apache itself cant handle that amount of request. You have to use more than one server with a load balancer.

 

[Biswajit]

3000 concurrent per second.

Users and GPS devices

On the same server.

Windows Server 2012 (IIS), PHP and MySQL

The server is tuning.

Great!

I follow some tutorials and stuck on some where to understand how the things work.

If you dont want to use JWT then you can create a event to do the same.

1. Create a login token table
2. When user is signing in, insert that user id, a random string and the timestamp into the login token table
3. Send that token to the APP.
4. On every request attach the token either in the header or send as a query string.
5. Create a mysql event
   1. set that to run at every 5 minute
   2. delete all tokens older than 1day or whatever timespan you want.
6. On every request check if the token is exist or not. If not exist inform the app to show the login screen again.

 

[aeric]

I can save the token or apikey creation date in user table and compare the time when a user login or access any data.

 

[Biswajit]

A simple csrf token and expiration:

<?php
// GENERATE THE TOKEN, ADD AN EXPIRY TIMESTAMP
session_start();
$length = 32;
$_SESSION['token'] = substr(base_convert(sha1(uniqid(mt_rand())), 16, 36), 0, $length);
// 1 hour = 60 seconds * 60 minutes = 3600
$_SESSION['token-expire'] = time() + 3600;

// THEN CHECK FOR THE EXPIRY ON REQUEST
if ($_SESSION['token']==$_POST['token']) {
  if (time() >= $_SESSION['token-expire']) {
    // EXPIRED - ASK USER TO RELOAD PAGE
  } else {
   // DO PROCESSING AS USUAL
  }
}

$_SESSION is only applicable if you are using a web browser. In REST API you need to manually reidentify the user for each request.

I can save the token or apikey creation date in user table and compare the time when a user login or access any data.

In that case the user cant login from two device. If you want to implement single device login then you can store the token in user table. But if you want the user to be able to login from multiple device then you have to store the token in another table.

 

[aeric]

$_SESSION is only applicable if you are using a web browser. In REST API you need to manually reidentify the user for each request.


In that case the user cant login from two device. If you want to implement single device login then you can store the token in user table. But if you want the user to be able to login from multiple device then you have to store the token in another table.

You mean the user will have two different tokens for two devices?

 

[Biswajit]

You mean the user will have two different tokens for two devices?

Yes. Sharing a token is not a good practice. You can also implement logout from one device or logout from all device if you use another table for token.

 

[aeric]

Yes. Sharing a token is not a good practice. Also you can implement logout from one device or logout from all device if you use another table for token.

Okay I agree. This is ideal if a user has Android and iOS app with same login credentials.

 

[Biswajit]

Okay I agree. This is ideal if a user has Android and iOS app with same login credentials.

Yes. User can either logout from android or from ios. And can also logout from all devices.