Custom API Authentication problem

PHP
1

I am trying to create an API in Codeigniter, and I want the entire API to be private. What is the best way to authenticate each request?

Is GET passing a username and password good practice… i.e. [B]http://localhost/api/admin/12345/user/get_data/1[/B]

Here is my code, but at the moment I am just hardcoding the passwords, but need to figure out a way to dynamically pass them…

  function ci_curl($new_name, $new_email)  
  {  
   $username = 'admin';  
$password = '1234';  
  
$this->load->library('curl');  
  
$this->curl->create('http://localhost/restserver/index.php/example_api/user/id/1/format/json');  
  
// Optional, delete this line if your API is open  
$this->curl->http_login($username, $password);  
  
$this->curl->post(array(  
    'name' => $new_name,  
    'email' => $new_email  
));  
  
$result = json_decode($this->curl->execute());  
  
if(isset($result->status) && $result->status == 'success')  
{  
    echo 'User has been updated.';  
}  
  
else  
{  
    echo 'Something has gone wrong';  
}  
  }
2

I wouldn’t recommend sending a username and password in the GET request, as GET parameters are too sensitive, may be cached if there are caching servers in play (which not be now, but could be added later?)

Instead, I’d opt (and have used myself) for two-legged OAuth. A good example of how you can use that is over here: http://developer.yahoo.com/blogs/ydn/posts/2010/04/a_twolegged_oauth_serverclient_example/

The advantage of OAuth is (among others) that credentials are not sent over the wire in plain sight (except for maybe the initial token request), and it’s not possible to replay requests (i.e., take a request somebody else fired earlier and fire it again).

It’s pretty much the de facto standard for APIs at this point.