Adding a RESTful, OAuth API on top of Craft

Question

I’m currently considering options for a project that will require a standard sales site, commerce features and a user database. The user database will require a web frontend and an API for communication with a mobile app (read and write).

My dilemma is whether it makes sense to consider Craft for all three components, which will give us all the benefits of a unified system, or to split the user database into a separate project where we could take advantage of something like Laravel Passport, which seems like the obvious option for efficiently building a secure API.

The HTTP Messages plugin looks useful but doesn’t appear to deal with authentication at all and preexisting options for Yii/Craft OAuth appear limited to nonexistent. I get the sense that Craft 3/Yii 2 would make life easier, but waiting for a stable Craft 3 release isn’t possible.

Has anyone had any experience developing a secured API on top of Craft? If so, what route did you take and would you do it again?

Answer 1

Short answer: yes I have, I used OAuth 2 and I would absolutely do it again.

I wrote up my experience in general terms here but essentially it boiled down to two plugins, one on each site: one acting as the server and another as the client.

I used league/oauth2-server for the server and then tied in directly to the Dukt OAuth plugin for the client, but in retrospect it would’ve been simpler just using league/oauth2-client for that.

For transforming data like the Element API does I used league/fractal and then to get proper request behaviour I used zendframework/zend-diactoros.

Essentially I think this sort of thing is perfectly feasible in Craft, due to plugins being so flexible you can load whatever libraries you need and go nuts. Craft 3 could simplified things somewhat with Yii Modules as I’m guessing you could package up the whole API code as a module, but it shouldn’t be necessary.

Hope that helps!