Friday, May 2, 2014

A research on API authentication methods , part II

Concrete versus the undefined

On my previous post I was talking about how the other frameworks more or less force you to do something.
Please, bear in mind that I haven't tested the latest versions of those frameworks, mostly due to the fact that I'm not longer interested at all on MVC frameworks or any other kind of acronym they might be using now.
Overall, if you use them, you know that you will have to write a controller, you will have a model that will either model the information and business rules or will act as a wrapper for the database.
And finally, you have the view.
Another key concept, that usually people tend to forget completely when they talk about MVC frameworks is the routing system, sometimes  esoteric.

The one I can talk about is Laravel4 routing system, and what I can say, it offers before and after actions, but I tend to find the fameworks always too bulky.

What do I like, you might be pondering ?.

Microframeworks

What I use the most is Flask, though I have researched Bottle too. In those frameworks, you define a function or method (depends on how you approach it, there is no proper way to do things, and that is what I like), and you define which verbs it will listen.
I guess that there are microframeworks for PHP, but it's a language I'm trying to get rid of.
Don't get me wrong, I'm not a fanatic person that vouches only for one single language, just see it like I've been using it since 2004, that is 10 years of experience.

Have I mastered it ?, I hardly think so. Despite the fact that I've been using it for 10 years, there are things, like the Zend API, custom extensions, all things that I have not had the time, reason, funding to use.

I bet they are good things to have under my belt, but I don't want to be tied to a language forever, that doesn't seems like a good thing.

Anyway, I believe that Flask provides the best option regarding usability for the developer, ease of learning.
As usual, you have a a lot of extensions to add.

Authentication methods

After a long research of several months, usually interrupted by work and other mundane things, I managed to obtain the desired result.

We have the front end application that runs in the browser, that is the following
  • backbone
  • underscore
  • requirejs
In the backend we have this for development
  • Flask
  • Mongodb
  • PostgreSQL
How did I did the authentication ?. 
Very simple.
HTTP Basic
After a long research I saw that every single one was using this, it is the most straightforward way to do it in a crossdomain environment. All my research is viewable on my github page, please select the branch organization.
Knowing what it works, let me first try to write about what I tried before using Basic as the solution.

I was under the impression that I was going to be able to do CORS auth and maintain a session cookie from the client side, but , this proved to be a very difficult task.

CORS has been a subject that has been fascinating me since I discovered it by accident. The possibility of http communication via cross domain was something quite interesting.

The first thing that I had to deal with, was the cross domain and the cookie. As usual, I had to be on the same subdomain, for example

  • http://j-vazquez.com/ (Front end, backbone, underscore, requirejs)
  • http://api.j-vazquez.com/ (Flask)
But my main problem was that I could return the proper value and the set cookie, but in the domain j-vazquez.com I could never persist the authentication because It never saw the set-cookie header.

So, that is the reason I resorted to http basic.
What I don't find as an elegant solution, is that obviously I can't prompt the user with the password every time he needs to be doing something, this would be quite annoying for him.

My next solution was to use the local db from the browser, that is html5 databases, but again, I don't like the idea of having that there, so my research ended up there, because I fall back to the a proven thing that works fine and despite I think that I will revisit this subject multiple times, I was building my homepage and I always delay it for some reason , so now I do the auth from the backend as I have always done it, but I still use the backbone/underscore solution that is served by flask.

Saturday, March 1, 2014

A research on API authentication methods

One of the things that interest me the most is the complete and total separation of the frontend and the backend.

There is a long explanation, and today is a bit rainy, I don't see other plan, so I'm going to write.

The beginning

As in everything, there is a beginning and mine was back in 2007, around August. After a frantic search to join a software company and work with software teams, I had only been in two companies in the past months and boy, that didn't work at all. I was doing Visual Basic 6.0 or Lotus Notes. The pay was really crappy, I was a junior developer with some knowledge here and there on Visual, some javascript and I was teaching myself PHP, Apache Httpd and GNU/Linux.

After getting really tired of working with Lotus Notes, I quit. I dind't had any other job opportunity, I just blindly quit and said, I'm going to research PHP and I'm going to get a PHP job.

Oh man, that was difficult, I had some months of experience, and back then, everything was complex, I was learning how to compile the GNU/Linux kernel, learning how to compile software, man, that was interesting, but it was really stressful. Anyways, I landed my first Php gig, the pay was good, I was doing something I was interested, and well, that's when we started.

We were doing custom CMS systems, and we were using custom Javascript to make the xmlhttp request (ajax...), we were giving our first steps with prototype and scriptaculous, making fancy ui's, drag and drops, ajax pagination, here and there, and guess what else ?.

Yeah, you are right. Custom php code !. We didn't even learn frameworks, we wanted too, but our boss didn't want to, he said that they were stupid, and overall, side aside the technicalities , he didn't want at all that we waste time learning a framework.

Not because he was mean, or he didn't care, I can't vouch on that though, the thing is, when you are working on a company, and they have a way on doing things, they won't stop it.

See, it is really expensive to throw away a method that it works, for some experimental thing.

I know what you are thinking, but if you keep on reading, you will also see my conclusion.

I'm not saying that I don't like frameworks or that cash is more important than learning proper coding techniques. I'm a developer, or programmer, or whatever you want to call me, I'm strictly interested in developing my coding skills to the fullest possible, and though, I do also have to admit, that I do need cash to live and to code, and maintain myself. I do recall reading this a long time ago on a phrack magazine or something like that, it was something about hacking and hackers, hackers also need regular jobs to live , eat and have a family, which is something that we sometimes forget... anyways, back on my idea.

I've got a couple of years of experience under my belt to consider myself just a tad good. Not saying that I'm the best , but I don't suck either. I do keep in mind that I always have to learn and study, and that the learning never stops. When that idea fades away, it means that either I'm dead or I'm not longer interesting in coding or software.

So, that was my 21 year old me, coding and wanting to learn "frameworks".
Oh boy, I recall, the first one I picked was Zend Framework.
I read it, and read it some more, and read the docs, and I promptly switched to something less complex, went to codeigniter, but I was like, ehh, this blows, I went to php on trax, because there was some stuff called rails or something like that, and this was the same. I spent a good time learning a couple of the frameworks, until I had to change my job again.
Keep in mind that here I had a brief idea of what a framework was and what classes were.

I took a course on design patterns and started to read about design patterns and the GOF and I was brutally excited about the idea of the frameworks.

My first job with a custom framework

Anyways, I was about to turn 22, I joined a multinational company, that they were using a custom framework. And oh boy, I was thrilled. They were using a custom framework, so they were doing things right and using a custom framework was good, because whenever you are young and you get influenced that X is good because X is used by many people and that's the way things should be, then they were right.
Well, my excitement lasted less than months.
See, coding a custom framework , and do please keep in mind that this is just an opinion article, not a white paper, is the most brutally stupid idea that you can have.

And here is my opinion, based on my experience on companies.
At least you kidnap the developers that write the framework , when they leave, you will have different people maintaining whatever the heck they did. And here is another thing that people don't see when they code their own framework. People is different. Getting the idea behind what people is trying to do with code, sometimes is really complex or impossible, and you enter on a refactoring cycle that is brutal, and most of the times, is impossible, and that is when you start patching here and there, and when you want to think about it, you have a pile of code that is overrided everywhere, nobody knows for sure how things work, solutions take times, everybody is damn unhappy and well, you know the rest, you work late, contracts needs to be finished on time, but your team is either stupid, to slow, or they have the wrong tool.

Using known frameworks

Using paid or free frameworks is always a good idea.
Here is a simple, limited, synopsis of why it's a good idea.
  • Paid or free, there is a userbase and there are more chances that you will find a problem and it will have  solution
  • Paid frameworks or solutions have technical support that you can contact and get answers (I'm not even vouching for private companies or GNU/BSD solutions), just saying, if there's cash, there is someone behind you, if there isn't, well, you will have answers from the community, if you didn't pick nothing to weird. It may also means that you have someone to yell at if things don't work like they are supposed to.
Which framework, for PHP I liked ?. I liked Zend Framework a lot. Because it didn't had a complex set of rules, they had components. I've used zend framework for two years, but I only used the version 1, I don't know nothing at all about Zend 2 or how it is, because I do no longer use it, I like Python , and I code in python, but on my paid job, I have to use laravel 4.

Here is the real reason behind why I like components. After having some experience on a couple of PHP frameworks, I noticed that most of the frameworks forced the developer to do things on a particular way. Zend didn't give you that at all.
They had a guide that you can follow to create controllers, views and models, or whatever you wanted to do. Zend just give you pieces, like, let's say, a toolbox with tools, but they didn't tell you how to use them, you are on your own , if you want to use a hammer to cut a piece of wood, you can do it, it won't be nice or look good, and will be more difficult, but you can do it if you want to.
Other frameworks, such as symphony , cake, codeigniter, they force you to do things on a particular way, you have to go from point A to point B.

Zend components will let you do whatever the heck you want to do, even shoot yourself on the foot.

And you may be pondering why I think this is good.

Well, here is the thing. All the frameworks dictate a way on how things are done, and if you want to draw out of the lines, then you are wrong, you should always follow their idea of what is good and bad.

That is not how things work, and sometimes, or most of the time, I always get things that I have to fight against the framework, and usually, the answer is either, or the specs are wrong, or well, the client is wrong, because the framework doesn't allows me to do that.

I know that at this point , I need something concrete. I'm going to leave that for a later article, so I keep you hooked up with something.