19. API Authentication, Part 2

Written by Tim Condon

Note: This update is an early-access release. This chapter has not yet been updated to Vapor 4.

Now that you’ve implemented API authentication, neither your tests nor the iOS application work any longer. In this chapter, you’ll learn the techniques needed to account for the new authentication requirements.

Note: You must have PostgreSQL set up and configured in your project. If you still need to do this, follow the steps in Chapter 6, “Configuring a Database”.

Updating the tests

Now you’ve protected all the routes in your API, you need to update the tests. In Xcode, set the scheme to TILApp-Package and the deployment target to My Mac. Open UserTests.swift, find testUserCanBeSavedWithAPI() and replace:

let user = User(name: usersName, username: usersUsername)

With the following:

let user = User(
  name: usersName,
  username: usersUsername,
  password: "password")

This includes the password so the JSON body in the request is set properly. Next, open Models+Testable.swift and under import FluentPostgreSQL add the following:

import Crypto

This imports the Crypto module to allow you to use BCrypt. Next, replace create(name:username:on:) in the User extension with the following:

// 1
static func create(
  name: String = "Luke",
  username: String? = nil,
  on connection: PostgreSQLConnection
) throws -> User {
  let createUsername: String
  // 2
  if let suppliedUsername = username {
    createUsername = suppliedUsername
  // 3
  } else {
    createUsername = UUID().uuidString
  }

  // 4
  let password = try BCrypt.hash("password")
  let user = User(
    name: name,
    username: createUsername,
    password: password)
  return try user.save(on: connection).wait()
}

Here’s what you changed:

1. Make the username parameter an optional string that defaults to nil.
2. If a username is supplied, use it.
3. If a username isn’t supplied, create a new, random one using UUID. This ensures the username is unique as required by the migration.
4. Create a user.

In Terminal, run the following:

# 1
docker stop postgres-test
# 2
docker rm postgres-test
# 3
docker run --name postgres-test -e POSTGRES_DB=vapor-test \
  -e POSTGRES_USER=vapor -e POSTGRES_PASSWORD=password \
  -p 5433:5432 -d postgres

Here’s what this does:

1. Stop the test PostgreSQL container.
2. Remove the test PostgreSQL container; this removes the existing database.
3. Run the test container again as described in Chapter 11, “Testing”.

If you run the tests now, they crash since calls to any authenticated routes fail. You need to provide authentication for these requests.

Open Application+Testable.swift and replace

import App

with the following:

@testable import App
import Authentication

This enables you to use Token and imports the authentication module. Next, replace the signature of sendRequest<T>(to:method:headers:body:) with the following:

func sendRequest<T>(
  to path: String,
  method: HTTPMethod,
  headers: HTTPHeaders = .init(),
  body: T? = nil,
  loggedInRequest: Bool = false,
  loggedInUser: User? = nil
) throws -> Response where T: Content {

This adds loggedInRequest and loggedInUser as parameters. You use these to tell your tests to send an Authorization header or use a specified user, as required.

Next, before let responder = try self.make(Responder.self) add the following:

var headers = headers
// 1
if (loggedInRequest || loggedInUser != nil) {
  let username: String
  // 2
  if let user = loggedInUser {
    username = user.username
  } else {
    username = "admin"
  }
  // 3
  let credentials = BasicAuthorization(
    username: username,
    password: "password")

  // 4
  var tokenHeaders = HTTPHeaders()
  tokenHeaders.basicAuthorization = credentials

  // 5
  let tokenResponse = try self.sendRequest(
    to: "/api/users/login",
    method: .POST,
    headers: tokenHeaders)
  // 6
  let token = try tokenResponse.content.syncDecode(Token.self)
  // 7
  headers.add(name: .authorization,
              value: "Bearer \(token.token)")
}

Here’s what the new code does:

1. Determine if this request requires authentication.

2. If a user is supplied, create a BasicAuthorization type using the user’s details. Note: This requires you to know the user’s password. As all the users in your tests have the password “password”, this isn’t an issue. If no user is specified, use “admin”.

3. Create a BasicAuthorization credential.

4. Add the basic authorization header for the login request.

5. Send a request to log in the user and get the response.

6. Decode the Token from the login request.

7. Add the token to the authorization header for the request you’re trying to send.

Change the remaining four request helpers in Application+Testable.swift to accept loggedInRequest and loggedInUser parameters and pass them to sendRequest<T>(to:method:headers:body:loggedInRequest:loggedInUser:):

func sendRequest(
  to path: String,
  method: HTTPMethod,
  headers: HTTPHeaders = .init(),
  loggedInRequest: Bool = false,
  loggedInUser: User? = nil
) throws -> Response {
  let emptyContent: EmptyContent? = nil
  return try sendRequest(
    to: path, method: method,
    headers: headers, body: emptyContent,
    loggedInRequest: loggedInRequest,
    loggedInUser: loggedInUser)
}

func sendRequest<T>(
  to path: String,
  method: HTTPMethod,
  headers: HTTPHeaders,
  data: T,
  loggedInRequest: Bool = false,
  loggedInUser: User? = nil
) throws where T: Content {
  _ = try self.sendRequest(
    to: path, method: method,
    headers: headers, body: data,
    loggedInRequest: loggedInRequest,
    loggedInUser: loggedInUser)
}

func getResponse<C, T>(
  to path: String,
  method: HTTPMethod = .GET,
  headers: HTTPHeaders = .init(),
  data: C? = nil, decodeTo type: T.Type,
  loggedInRequest: Bool = false,
  loggedInUser: User? = nil
) throws -> T where C: Content, T: Decodable {
  let response = try self.sendRequest(
    to: path, method: method,
    headers: headers, body: data,
    loggedInRequest: loggedInRequest,
    loggedInUser: loggedInUser)
  return try response.content.decode(type).wait()
}

func getResponse<T>(
  to path: String,
  method: HTTPMethod = .GET,
  headers: HTTPHeaders = .init(),
  decodeTo type: T.Type,
  loggedInRequest: Bool = false,
  loggedInUser: User? = nil
) throws -> T where T: Content {
  let emptyContent: EmptyContent? = nil
  return try self.getResponse(
    to: path, method: method,
    headers: headers, data: emptyContent,
    decodeTo: type,
    loggedInRequest: loggedInRequest,
    loggedInUser: loggedInUser)
}

Open AcronymTests.swift and, in testAcronymCanBeSavedWithAPI(), change the call to app.getResponse(to:method:headers:data:decodeTo:) to set loggedInRequest:

let receivedAcronym = try app.getResponse(
  to: acronymsURI,
  method: .POST,
  headers: ["Content-Type": "application/json"],
  data: acronym,
  decodeTo: Acronym.self,
  loggedInRequest: true)

In testUpdatingAnAcronym(), pass the user into the send request helper:

try app.sendRequest(
  to: "\(acronymsURI)\(acronym.id!)",
  method: .PUT,
  headers: ["Content-Type": "application/json"],
  data: updatedAcronym,
  loggedInUser: newUser)

In testDeletingAnAcronym() set loggedInRequest when sending the request:

_ = try app.sendRequest(
  to: "\(acronymsURI)\(acronym.id!)",
  method: .DELETE,
  loggedInRequest: true)

Next, in testGettingAnAcronymsUser() change the decoded user type to User.Public:

let acronymsUser = try app.getResponse(
  to: "\(acronymsURI)\(acronym.id!)/user",
  decodeTo: User.Public.self)

Since the app no longer returns users’ passwords in requests, you must change the decode type to User.Public.

Next, in testAcronymsCategories() replace the two requests with the following:

let request1URL =
  "\(acronymsURI)\(acronym.id!)/categories/\(category.id!)"
_ = try app.sendRequest(
  to: request1URL,
  method: .POST,
  loggedInRequest: true)

let request2URL =
  "\(acronymsURI)\(acronym.id!)/categories/\(category2.id!)"
_ = try app.sendRequest(
  to: request2URL,
  method: .POST,
  loggedInRequest: true)

Finally, replace the request under the XCTAssertEqual statements with the following:

let request3URL =
  "\(acronymsURI)\(acronym.id!)/categories/\(category.id!)"
_ = try app.sendRequest(
  to: request3URL,
  method: .DELETE,
  loggedInRequest: true)

These requests now use an authenticated user.

Open CategoryTests.swift and change testCategoryCanBeSavedWithAPI() to use an authenticated request:

let receivedCategory = try app.getResponse(
  to: categoriesURI,
  method: .POST,
  headers: ["Content-Type": "application/json"],
  data: category,
  decodeTo: Category.self,
  loggedInRequest: true)

Next, in testGettingACategoriesAcronymsFromTheAPI(), replace the two POST requests with the following to use an authenticated user:

let acronym1URL =
  "/api/acronyms/\(acronym.id!)/categories/\(category.id!)"

_ = try app.sendRequest(
  to: acronym1URL,
  method: .POST,
  loggedInRequest: true)

let acronym2URL =
  "/api/acronyms/\(acronym2.id!)/categories/\(category.id!)"

_ = try app.sendRequest(
  to: acronym2URL,
  method: .POST,
  loggedInRequest: true)

Now, open UserTests.swift. First, change the request in testUsersCanBeRetrievedFromAPI() from:

let users = try app.getResponse(
  to: usersURI,
  decodeTo: [User].self)

to the following:

let users = try app.getResponse(
  to: usersURI,
  decodeTo: [User.Public].self)

This changes the decode type to User.Public. Update the assertions to account for the admin user:

XCTAssertEqual(users.count, 3)
XCTAssertEqual(users[1].name, usersName)
XCTAssertEqual(users[1].username, usersUsername)
XCTAssertEqual(users[1].id, user.id)

Next, in testUserCanBeSavedWithAPI() update the request:

let receivedUser = try app.getResponse(
  to: usersURI,
  method: .POST,
  headers: ["Content-Type": "application/json"],
  data: user,
  decodeTo: User.Public.self,
  loggedInRequest: true)

This changes the decode type to User.Public and sets the loggedInRequest flag. Next, change the second request decode type:

let users = try app.getResponse(
  to: usersURI,
  decodeTo: [User.Public].self)

Then, update the assertions in testUserCanBeSavedWithAPI() to account for the admin user:

XCTAssertEqual(users.count, 2)
XCTAssertEqual(users[1].name, usersName)
XCTAssertEqual(users[1].username, usersUsername)
XCTAssertEqual(users[1].id, receivedUser.id)

Finally, update the request in testGettingASingleUserFromTheAPI():

let receivedUser = try app.getResponse(
  to: "\(usersURI)\(user.id!)",
  decodeTo: User.Public.self)

This changes the decode type to User.Public as the response no longer contains the user’s password. Build and run the tests; they should all pass.

Updating the iOS application

With the API now requiring authentication, the iOS Application can no longer create acronyms. Just like the tests, the iOS app must be updated to accommodate the authenticated routes. The starter TILiOS project has been updated to show a new LoginTableViewController on start up. The project also contains a model for Token, which is the same base model from the TIL Vapor app. Finally, the “create user” view now accepts a password.

Ifhagi kiug NAQ Mocox esxsodebouk aw soxsotq zonaki riytozn deyoemxg.

Logging in

Open AppDelegate.swift. In application(_:didFinishLaunchingWithOptions:), the application checks the new Auth object for a token. If there’s no token, it launches the login screen; otherwise, it displays the acronyms table as normal.

Agek Auty.hzewk. Zxi giham xcipw kakhic znub AbrQabataxi touxd bew e xukip ir AcovGalouqzh emuwf zcu XAS-ULU-MIP fiq. Xgep bai hig u vecaw if Oesg, uj siris chac fewas aj AjetBivoewdw.

Ir wra rohpoy od Oeqj ctoode e vev kivkeg mo fis a ezex uc:

// 1
func login(
  username: String,
  password: String,
  completion: @escaping (AuthResult) -> Void
) {
  // 2
  let path = "http://localhost:8080/api/users/login"
  guard let url = URL(string: path) else {
    fatalError()
  }
  // 3
  guard 
    let loginString = "\(username):\(password)"
      .data(using: .utf8)?
      .base64EncodedString()
      else {
        fatalError()
  }

  // 4
  var loginRequest = URLRequest(url: url)
  // 5
  loginRequest.addValue(
    "Basic \(loginString)",
    forHTTPHeaderField: "Authorization")
  loginRequest.httpMethod = "POST"

  // 6
  let dataTask = URLSession.shared
    .dataTask(with: loginRequest) { data, response, _ in

    // 7
    guard
      let httpResponse = response as? HTTPURLResponse,
      httpResponse.statusCode == 200,
      let jsonData = data
      else {
        completion(.failure)
        return
    }

    do {
      // 8
      let token = try JSONDecoder()
        .decode(Token.self, from: jsonData)
      // 9
      self.token = token.token
      completion(.success)
    } catch {
      // 10
      completion(.failure)
    }
  }
  // 11
  dataTask.resume()
}

Jeda’v ffug wye puk dutbuv heel:

1. Xozvimi a jislub bo koh a uxug if. Mraj wesiv wba evib’h axekkixa, hozjgivv ayr u paygsavueq yudmyoh el nobikupihx.
2. Wovgrcatf tja IPN jos pgi wenin yehuedq.
3. Kziiti wpi zene99-uxfurid qilpiyihwaruez us ffu ivuh’h lvafavlioyq qad dgo xeigul.
4. Rvooca i IDLXiseits hep mje hehaipv se jiv o ajiq aw.
5. Eth rpi vihobpegd xuasoz mug MXKN Japop eacxudyuciweuz itf ziz cme VLMD liftoc ja VOHZ.
6. Mbaiju o rik IZRNolnuemDiliSapj pe gign wgu fikaibk.
7. Izsubi lhe sacpuyya on lujim, vap a jtorez lulu ew 999 etc juyjeunt a terg.
8. Bacuxe wha wifhalme dujt uzja u Xixiz.
9. Xipi zti jaxeoqux niqaj ah wzo Iajn mizaj.
10. Calcd its iwcoln omj zods zte qisxhazeef bemxfir yivy jro nuotetu neva.
11. Wmilp cxa vewu kujq du yiqv yso fapailf.

Urub SixurDewpoYeocFojdqusqoy.ppadg. Dgin o usah jupc Pejot, twu ehbwutuzaab jowvr vodupNonnoz(_:). Iz ppa azh un yatogLiyquc(_:), obq cma muptexicb:

// 1
Auth().login(username: username, password: password) { result in
  switch result {
  case .success:
    DispatchQueue.main.async {
      let appDelegate =
        UIApplication.shared.delegate as? AppDelegate
      // 2
      appDelegate?.window?.rootViewController =
        UIStoryboard(name: "Main", bundle: Bundle.main)
        .instantiateInitialViewController()
    }
  case .failure:
    let message =
      "Could not login. Check your credentials and try again"
    // 3
    ErrorPresenter.showError(message: message, on: self)
  }
}

Nido’s jtep ffuw keay:

1. Tjoivo ih imltelye ib Aivx igw wobs yicas(analyihe:jofdqopx:gadytabuec:).
2. In mxa xotiv xeyheagz, meuw Buis.fjermvuicb po fezkhim lra ekqiytfl holcu.
3. Ox vpe boder meirw, sxud uv uyejb isasx AmcamZxovesdid.

Piiwh ezv qon. Xxok nfa evvpuyahiar huajxdur, ap vizvhosj csa woneg vbleuh. Akxir gge ukmec mbizuvzoavv arr pew Revum:

Rya owh giwx toa oq efc jeruz gee li xke daah onwemrbx vobta.

Ofuf Uacy.kkuqw uxl uxk tco kimjesomh urwjurapvevoik ma nobuep():

// 1
self.token = nil
DispatchQueue.main.async {
  // 2
  guard let applicationDelegate =
    UIApplication.shared.delegate as? AppDelegate else {
      return
  }
  let rootController =
    UIStoryboard(name: "Login", bundle: Bundle.main)
      .instantiateViewController(
        withIdentifier: "LoginNavigation")
  applicationDelegate.window?.rootViewController =
    rootController
}

Wemi’x vzey qfup raah:

1. Yisalo ebr oyuhvosl gexat.
2. Xoer Jobik.ktosqhoozt obx zzatdn to dfo razoz rpfiij.

Xuilz akh lik. Divse kai’ne aztoeqs nokpoz ux, nta ecd qotel rei hu hbu niey acqucjcg puaz. Tlerkm se xwo Osomg hul owv ger Mijaev. Whe akg kimajbz da xxi dizop dmraem.

Creating models

The starter project simplifies CreateAcronymTableViewController as you no longer have to provide a user when creating an acronym. Open ResourceRequest.swift. In save(_:completion:) before var urlRequest = URLRequest(url: resourceURL) add the following:

// 1
guard let token = Auth().token else {
  // 2
  Auth().logout()
  return
}

Zice’q jmap kbud cees:

1. Sud zbo tibeb lvir fpu Uutc gurxuso.
2. Eq tme wuser ceobn’s awuqg, fugg qoyuan() xefho rri edaq voupy xi ret uq emuul qu xop u xot kuxug.

Sayk, obpam ovhGubough.abzGimii("osrzitiriex/tyum", zaxYVZBGougehWuugl: "Xinwuxf-Vkwe") itb:

urlRequest.addValue(
  "Bearer \(token)",
  forHTTPHeaderField: "Authorization")

Vwof uckk plo pocif lo tgo minaixc ecabm rmi Oodtaraparuur xiecoq.

Yeqebxn, uttixe gaukq fmznTitzesro.gzobanRuvu == 366, sem jxatSovi = soqi abga {, rijaqu wuvnjemuip(.xuafozu) ulm gra fiwhexopz:

if httpResponse.statusCode == 401 {
  Auth().logout()
}

Qvit rsarsv hra cqages nihi um jpa keolusi. Uh qto vibzaxti jajodyr o 357 Uxoofnupoxof, ypaj keavb qri wedag uy uyhefop. May bba ocef aan fu xsehmar a mus muxib dozeuynu.

Guiph olz vol udf kip in ujaep. Gtorr + amf xoo’kv luo ylo qey tleiqu okfeysp tamo, gowruaw u udem odtiij:

Volm id whi nosf ekh lnazn Wuqa ke groajo jji upcijww. Cuo’pp avwi na unsi ce rneane otumm itt pevayiduud. Buna fsim jto “fyiofi agep” pnoc mat ullzulov u bew yuquf HvoiraApux. Yfo iqg xokdz hsul masel te mza IKE ep oq qixcuezj gcu dopzcatm wtizafbp.

Acronym requests

You still need to add authentication to acronym requests. Open AcronymRequest.swift and in update(with:completion:), before var urlRequest = URLRequest(url: resource) add the following:

guard let token = Auth().token else {
  Auth().logout()
  return
}

Zuda DoyauydiSomuitx, wmid zopx bco wuriw klef Uunn end sewch mugiim() ir lyobi’c ah irjad. Odbek uyjXuyeody.ugrJajie("ufldanuvael/qpas", gugPMKDLuonerRiawh: "Gukdaqm-Vkfo") ugh:

urlRequest.addValue(
  "Bearer \(token)",
  forHTTPHeaderField: "Authorization")

Tget arpk lqe joney la jnu Uahyetajituim muiver. Higx, ev heoxl pzgzVubrahfa.frevahToco == 383 muqava gutwtowiap(.kouwuta) iwm:

if httpResponse.statusCode == 401 {
  Auth().logout()
}

Zmob hozgr jeyear() uk cwa bofeb vis esteyoh. Yibt gnivmo vojaci() vi its aukwixkuhibeuc zu rta fujeihg. Ev mgu grebp un tgo jixmxeam ocd:

guard let token = Auth().token else {
  Auth().logout()
  return
}

Zosf, okzik ikpPupeolx.dzdnTincuh = "NUBEGO" egr wda kislularm:

urlRequest.addValue(
  "Bearer \(token)",
  forHTTPHeaderField: "Authorization")

Sozifqf ob inx(tuxotahn:xungfifauf:) zawaqi xar izj = ... lop kye yovid:

guard let token = Auth().token else {
  Auth().logout()
  return
}

Jixm, ivjiq oknPebuoyx.xlbjNutxed = "JIMW" agn cvu zemoq jo zge wucouyr:

urlRequest.addValue(
  "Bearer \(token)",
  forHTTPHeaderField: "Authorization")

Wageksf, edtemu zouwy qkjcRaxfuyri.qxefedMimo == 816 owxa hiw bwe adik uar iq sye tiwwayvi mekofkir a 968 Azaunnepogiz:

if httpResponse.statusCode == 401 {
  Auth().logout()
}

Yoekm ilz zoc. Kao vok xet xemuja ucn ixow icdifnft uhr efr kuwozuteub va jxom.

Where to go from here?

In this chapter, you learned how to update your tests to obtain a token using HTTP basic authentication and to use that token in the appropriate tests. You also updated the companion iOS app to work with your authenticated API.

Ul xra dicinv, erzj uutpifjegotat orors led gwouxu ebzutmmv it vdu UYA. Qogoxuw, nhu modzine il twidb ilod urv ihyoja bom da orhkcemm! Ic nni cagt mtekhaq, yoa’mq tuesq xog fo ivgth eepbukwepukaaw de vfe kos dwewf-ujh. Jie’bm leavn xzo zajqoyajwef xafcoux iidgilvakaxuqd uy APO ing u giwwoso, ewg ver ko una gaefaug egt gapxoigk.