2. PHPRunner General questions
  3. [SOLVED] REST API Calls within SAAS Application Design in PHP Runner
This topic is locked
[SOLVED]

REST API Calls within SAAS Application Design in PHP Runner

 		9/10/2021 11:23:39 AM
PHPRunner General questions
R
 Robert author

Hello,

We have designed a saas application using this reat article: https://xlinesoft.com/blog/2019/10/03/saas-application-design/
and are happy to report that this works very well.

However, we also have created rest api calls within our application that are authorized using API keys. When calling the APIs to get data, we have noticed that the API unfortunately does not see the session DB name attached to it in the security table and when it tries to establish the appropriate connection for that table, the system throws a "No Database selected" message. When a regular user is logging in using the logging page, there is no issue. Also, the API user logs in fine. The issue is when the API user tries to get data from the specified table existing in the secondary application connection.

We think that it is either because of the timing of the firing of the AfterSuccesfullogin event when using the API or because of the session deletion in v1.php (line 21). Either way, is there a workaround for this? Has anyone had to deal with this?

Please see the below dump for more info. I hope I have explained this correctly and thank you in advance for any help you can provide

img alt

admin 9/10/2021

Sounds like a good new scenario of REST API use.

As a quick solution you can either remove that session_destroy() call or move it before the login code in source\api\v1.php file. This code was added to avoid potential quirks when people test REST API in their browser and is not that extremely important. We will also consider making this change permanent.

// dont' remember anything
session_destroy();

if( !API::login() ) {
API::sendError( 'Access denied', 401 );
}
R
 		Robert author 9/10/2021

Thank you for your quick reply and your recommendations.

These are my observations:

1 - Moving the session_destroy() does not work
2 - Removing the session_destroy works but with limitations:

  • the first time you call the API, you will get the same error message about the "No Database selected", however if you call it a second time, it will work with no issues. It is as if the connection got cached on the first call and when you call it again, the API has access to the cached connection info or previous created session info containing the value for the DB name in order to connect

Any recommendation on a temporary fix that I could employ in order for the API call to be successful on the first go around?

Thank you
admin 9/11/2021

I'm not 100% sure why you getting this kind of results as to the best of my understanding it should work. Maybe you have more code there that I'm not aware of. In either case there is a fundamental flaw in your approach. One of REST API ideas is that it is stateless, meaning that you should not be relying on session variables.

What I think you can do is modify your custom server database connection code. Instead of relying on $_SESSION["dbname"] variable you should check, if there is an apikey variable in the URL and pull the database name from the login table based on this apikey.

R
 		Robert author 9/11/2021

Awesome, awesome suggestion!

Now that I have the key, I can query the user table and find out what the DB is!

Thank you!