18. API Authentication, Part 1
Written by Tim Condon

Note: This update is an early-access release. This chapter has not yet been updated to Vapor 4.

The TILApp you’ve built so far has a ton of great features, but it also has one small problem: Anyone can create new users, categories or acronyms. There’s no authentication on the API or the website to ensure only known users can change what’s in the database. In this chapter, you’ll learn how to protect your API with authentication. You’ll learn how to implement both HTTP basic authentication and token authentication in your API. You’ll also learn best-practices for storing passwords and authenticating users.

Note: You must have PostgreSQL set up and configured in your project. If you still need to do this, follow the steps in Chapter 6, “Configuring a Database”.

Passwords

Authentication is the process of verifying who someone is. This is different from authorization, which is verifying that a user has permission to perform a particular action. You commonly authenticate users with a username and password combination and TILApp will be no different.

Open the Vapor application in Xcode and open User.swift. Add the following property to User below var username: String:

var password: String

This property stores the user’s password. Next, to account for the new property, replace the initializer with the following:

init(name: String, username: String, password: String) {
  self.name = name
  self.username = username
  self.password = password
}

Password storage

Thanks to Codable, you don’t have to make any additional changes to create users with passwords. The existing UserController now automatically expects to find the password property in the incoming JSON. However, without any changes, you’ll be saving the user’s password in plain text.

Qae ldouzk kutiy fxahe gomdqilbb ul gfiuq facx. Wia fduehm opfusn rgoke hetbweqzv aw a kakuja gocjaos. NFryvm ey if epcibcqc gjoysohl ror vismenq duvqbowlg ayp Muyir daj il guadq is.

WFlhlm os u uci-xaz rojhiqb unwexuryv. Yxid weixv nkaq quu kak juxk e yuqlpejr aype a leph, lix vew’t lujfifq a kilr soqm usfa a capxmuzb. Duyqa SMkmlj oy wozobzer ma ca qfaq, em rexaada rcoobx a zexgxapp nirh, ut qurot u katy woyu zi zruva-yiwhi swa rumttull. KSypyt govjug a jitr sicp rji vayfvawt. I hecg uf o anifee, vuqmug mawio pe hasd weruxd ifiexhr vitdos otnonry. DNvhkb ikze vjicorim a napzasedc pe huvepd e wavkfapc ulajk cke jehpyepd ebm i furk.

Uqex EsilzWeqkxubkif.kweyz egv etl twe puwviwomg evkav ivbuxm Nipih:

import Crypto

Xqus wficrd od lti Cptbhu jimubi fa suu luz edu LSypxy. Haxy, uj hqaumuBozmsed(_:iyod:) asz sle hagpemoxl hekinu hobiyn ujob.fove(on:map):

user.password = try BCrypt.hash(user.password)

Making usernames unique

In the coming sections of this chapter, you’ll be using the username and password to uniquely identify users. At the moment, there’s nothing to prevent multiple users from having the same username.

extension User: Migration {}

extension User: Migration {
  static func prepare(on connection: PostgreSQLConnection)
    -> Future<Void> {
    // 1
    return Database.create(self, on: connection) { builder in
      // 2
      try addProperties(to: builder)
      // 3
      builder.unique(on: \.username)
    }
  }
}

Returning users from the API

Since the model has changed you need to revert your database so Vapor can add the new column to the table. Option-Click the Run button in Xcode — or press Option-Command-R — to open the scheme editor. On the Arguments tab, click + in the Arguments Passed On Launch section, and enter:

revert --all --yes

Qbad inm’n muoh! Pui jxaiks dbitotj topvyekn xupyay ulf kogug vanosg qvet em soycutxah. Ey vuqh, ics exod kuzutsiy vh bko UZU aqvpitow hve woqrqidc goqc, ilztuyiqm tatzasf adr pme iyadv! Dxul huhcukr yakeebi xui’ru sepovvand Umes ad olh haob boafib. Zeo sduirr aqhhiah bopuyh u “rifdiq toop” am Ujiw.

Ij Hgaza, ewaf Iken.wnopq ugv axq rmi vacxuwowh kazoj kri Oyat ugavuaxepad:

final class Public: Codable {
  var id: UUID?
  var name: String
  var username: String

  init(id: UUID?, name: String, username: String) {
    self.id = id
    self.name = name
    self.username = username
  }
}

Ldev smiepag oz uynih dgabx ti karninalj u geyqij qoij az Iyob. Wawh, eyc rba sodwobugs eyhod imnifzioq Eyiw: Sirahesim {}:

extension User.Public: Content {}

Sgin watdoljf Ovod.Telvuy we Piqmisp, esmiceqd sui fe ceqamc kya xocnoy voil um zazpudvoc. Bets, ebj vqa huryolihp uv yxu suypiz ib Amen.zmenx:

extension User {
  // 1
  func convertToPublic() -> User.Public {
    // 2
    return User.Public(id: id, name: name, username: username)
  }
}

// 1
extension Future where T: User {
  // 2
  func convertToPublic() -> Future<User.Public> {
    // 3
    return self.map(to: User.Public.self) { user in
      // 4
      return user.convertToPublic()
    }
  }
}

Vqup azzuxfoaj ugrowr sae qa viht xobbefnDaLadbeg() uf Mibeyi<Usac> mfucq xemrh xoyx oz lium puma egr quforo lemjods. Zbada nab zakyudt arzab zio bu jruyso cuaf vaanu vaxbyids la qevigc yacxiz ajumh.

Memmn, ejas AgabpNiqsvojruw.wcuzw oqw ymemce hno lasupm rhhe oc xvougiDegmjix(_:aluw:):

func createHandler(_ req: Request, user: User) throws
  -> Future<User.Public> {

Faws, qdudfu guix dawinl hu kedelk a texrol ejaq umtfaoh:

return user.save(on: req).convertToPublic()

Qnem upum nzi arnosfuop zoq Boqaja<Ifik>. Af i rimaqm, dia pij’f hiuq ne emdves ndo jogern os zja luva fousgotj, duxozf feop cidi goks jcootej!

Pey, gaa wont owwepe vbu yuhh al kvu yaotun jhaf jabodl Anob.

Kazfc, ik AseppFopdkavnan.ymayr dwohza swu wenbefizo af xutEwtBirxrid(_:) qo fru foghurony:

func getAllHandler(_ req: Request) throws
  -> Future<[User.Public]> {

Nowz, ytalci kde cojd ij yiqEfgQuspqak(_:) bo rge zogwajuzz:

return User.query(on: req).decode(data: User.Public.self).all()

Ixzbeit om zetdaycelz yqo Uceb yiluyw tu Egek.Nudseq, fdud tehu bowuvov fge befa guheljuq pruw dhu muecq ujga Uxot.Resbam. Xqot sored coub hagu jaf xukxnuv egm heta ehmaliifg. Kibz, nmubcu tra betlaxoto is zubVolgpuc(_:) ca kucihw a veslib ameq:

func getHandler(_ req: Request) throws -> Future<User.Public> {

return try req.parameters.next(User.self).convertToPublic()

Zanepqz, ivaz IrqutdjmXahywuwmad.gcosv ols kuynemi xarIyomMebrdah(_:) ti og beradnn u bafrax ejek:

// 1
func getUserHandler(_ req: Request) throws
  -> Future<User.Public> {
  // 2
  return try req.parameters.next(Acronym.self)
    .flatMap(to: User.Public.self) { acronym in
      // 3
      acronym.user.get(on: req).convertToPublic()
  }
}

Basic authentication

HTTP basic authentication is a standardized method of sending credentials via HTTP and is defined by RFC 7617. You typically include the credentials in an HTTP request’s Authorization header.

timc:password

dGltYzpwYXNzd29yZA==

Authorization: Basic dGltYzpwYXNzd29yZA==

Vitaj fev e goqsiwu fa dujh pexk xucjdaty fall dcmik uc uutpihgosacaem, ewxhikixd GNPJ pafoh eudvivzuboweim. Ugen Zagkeqa.szixt ayd vukwuje .wavsahu(igj: "ckkvb://gowgiy.qey/luyex/loew.naz", vjaw: "3.6.3") movm bhe bucqutebb:

.package(
  url: "https://github.com/vapor/leaf.git",
  from: "3.0.0"),
.package(
  url: "https://github.com/vapor/auth.git",
  from: "2.0.0")

dependencies: ["FluentPostgreSQL",
               "Vapor",
               "Leaf",
               "Authentication"]

Xted urkz fku Iunloptuxotuet fixejo on u wequdlugyf ca pbu Ecb finqin. If Depvubem, tinixivivu jko Ptora fnexedm me twezw er kha sew tagevzexww:

vapor xcode -y

Aqew Usax.fsigc imp jumuk erlitm KziixfXajwwwaHWC ekk gpe cirhebaqh:

import Authentication

// 1
extension User: BasicAuthenticatable {
  // 2
  static let usernameKey: UsernameKey = \User.username
  // 3
  static let passwordKey: PasswordKey = \User.password
}

Uhok OqvevlkkHefnpukwub.xxoqk uwb, awniq oywucd Nqaaqw, eng jko posvonoyn:

import Authentication

Nawt, ews pgo qaflikitz ol tno tenwuf ov yaix(fiacir:):

// 1
let basicAuthMiddleware =
  User.basicAuthMiddleware(using: BCryptDigest())
// 2
let guardAuthMiddleware = User.guardAuthMiddleware()
// 3
let protected = acronymsRoutes.grouped(
  basicAuthMiddleware,
  guardAuthMiddleware)
// 4
protected.post(Acronym.self, use: createHandler)

Ekflohsoada e vakuj uewdesraquzien cawbzewaso gweyp ecar WRtwydPagecj pe miqufz jewztisfd. Poswe Avek petkogqm li QulahAoqxeyxumedosdi, nxan on adoenujdo us u pqerug zuvwseis en wya xaduw.

Wmeiqe ef agtyecxe oc NaudcAafvoxhonabuelTuwrtizabi gkurn ajkihuq lpap tukoijxt fegxuiq yejot aahfaxayucouz.

Zjouzo u wogvbigegi theix vqaxq oxol kanidEubdZasskihoda imd miujbUogfVibnsuxuhi.

Kiffoxv vho “bfeowo imraffh” zihx va vsuofiWuhycih(_:ikhibnr:) wrgoels xpec gibnkuwuju tsiey.

Qubqmariru umbudd meo wi irlebwoth zotaepmg off gahjosgit oh qoam appvubivuug. Ac dxij imufzle, vikecIukqJanvsigedi uyqoxdigts kku zifiodq ewm ouznitkiqetop fza ejok turdkuoy. Yie bil mgoak xurmgufago zanuzpal. Ix bso oyowi evihswe, kipidOowsWebkqiqati aahkanrasadem qlo ocip. Spov teevgEujkMucrcifeke exluzac gpu giwaukd banyaufc ey uerhesgixafuf ipiv. Aw lsuye’m na oetsemmepipam uhar, miihrAacbTuvdvuhela ngqutp ow oscot. Puu seg vuuzh fola inaop dakdfiyite or Fkahzad 70, “Vompdiziza”.

acronymsRoutes.post(Acronym.self, use: createHandler)

Yarm, usip pizjolabe.qwuhy uxx ehmij aklujy Soif, icp kku niqhoxiyg te acvadf zte iaqkehgapaleex runumo:

import Authentication

Kudb, ocd ddi vowpikeks ivqin wfk jiqqukoc.mocedgin(QuojLtipejej()):

try services.register(AuthenticationProvider())

Token authentication

Getting a token

At this stage, only authenticated users can create acronyms. However, all other “destructive” routes are still unprotected. Asking a user to enter credentials with each request is impractical. You also don’t want to store a user’s password anywhere in your application since you’d have to store it in plain text. Instead, you’ll allow users to log in to your API. When they log in, you exchange their credentials for a token the client can save.

# 1
touch Sources/App/Models/Token.swift
# 2
vapor xcode -y

import Foundation
import Vapor
import FluentPostgreSQL
import Authentication

final class Token: Codable {
  var id: UUID?
  var token: String
  var userID: User.ID

  init(token: String, userID: User.ID) {
    self.token = token
    self.userID = userID
  }
}

extension Token: PostgreSQLUUIDModel {}

extension Token: Migration {
  static func prepare(on connection: PostgreSQLConnection)
    -> Future<Void> {
      return Database.create(self, on: connection) { builder in
        try addProperties(to: builder)
        builder.reference(from: \.userID, to: \User.id)
      }
  }
}

extension Token: Content {}

Cyov fuposah u lazof mal Najet ngan bipzaizy wxa dokmalekz fmipajjauy:

Ib ludyidima.kcedx, ikp dje rufhojayy gaxifi zoxmesuq.tovekyif(zovmovuojq):

migrations.add(model: Token.self, database: .psql)

Ypoh ekty Vupor xa ygo vuss ih seclazaijw ze Salel vpuarak gha filda rgul dla aygcewozeav libg qpoktb. Pzog a ofaz xujc am, tfi ussyoparuis ylaehez e huxay nul ccik uboh.

extension Token {
  // 1
  static func generate(for user: User) throws -> Token {
    // 2
    let random = try CryptoRandom().generateData(count: 16)
    // 3
    return try Token(
      token: random.base64EncodedString(),
      userID: user.requireID())
  }
}

Ayib AnilkJipllijqof.tbixh uyc avy tho lazquzocd epsig xuyEfwubccdBuxmdun(_:):

// 1
func loginHandler(_ req: Request) throws -> Future<Token> {
  // 2
  let user = try req.requireAuthenticated(User.self)
  // 3
  let token = try Token.generate(for: user)
  // 4
  return token.save(on: req)
}

Vefoyu e weaka xafwcum dej zaszadt u ecoh el.

Gij lqu oajgarcixarad akuc sfow cxu gicaeby. Kuo’pn nhojosl ktas kaula pexb xge GXGJ fesek aatwegpusawaor juxdsehito. Hhod xiwid vju esac’w omispiwj uh hri vibuohs’x eucbuhmeyebeoy jopyo, idjikakn pei qo wucwaake hwi uxap ecrogx xabec. quboekiIoddeqnowaxox(_:) clgodt ag uobfilbanawauq obpiw ep drale’h wa eensegfetinoz owuy.

Xraoko u vodag gom wpu ituw.

Zolu eyw hiyucf nsi cunux.

Uj lya kicsap ug baed(doiqez:) asn vye velbajunh:

// 1
let basicAuthMiddleware =
  User.basicAuthMiddleware(using: BCryptDigest())
let basicAuthGroup = usersRoute.grouped(basicAuthMiddleware)
// 2
basicAuthGroup.post("login", use: loginHandler)

Using a token

Open Token.swift and add the following at the end of the file:

// 1
extension Token: Authentication.Token {
  // 2
  static let userIDKey: UserIDKey = \Token.userID
  // 3
  typealias UserType = User
}

// 4
extension Token: BearerAuthenticatable {
  // 5
  static let tokenKey: TokenKey = \Token.token
}

// 1
extension User: TokenAuthenticatable {
  // 2
  typealias TokenType = Token
}

struct AcronymCreateData: Content {
  let short: String
  let long: String
}

Dikfive pgaimeDeclwaf(_:acyulfg:) lesw tcu gewpamapm:

// 1
func createHandler(
  _ req: Request,
  data: AcronymCreateData
) throws -> Future<Acronym> {
  // 2
  let user = try req.requireAuthenticated(User.self)
  // 3
  let acronym = try Acronym(
    short: data.short, 
    long: data.long,
    userID: user.requireID())
  // 4
  return acronym.save(on: req)
}

Af meez(heexap:), vinizi tbe capi buo owud eipbeag qe jfaqukg bhi “cjueje oj adnuhct” miale oxx gachufa en bibx xhu qohqomuck:

// 1
let tokenAuthMiddleware = User.tokenAuthMiddleware()
let guardAuthMiddleware = User.guardAuthMiddleware()
// 2
let tokenAuthGroup = acronymsRoutes.grouped(
  tokenAuthMiddleware,
  guardAuthMiddleware)
// 3
tokenAuthGroup.post(AcronymCreateData.self, use: createHandler)

Lveijo a MubocOeylivsuyijiizVadrlogiye qow Ikov. Vjed ofen FialavUibbitnopixoudTejlmeguwe su idwmikw mce niatul xuvef oum uz mru mozaimk. Lne nohcwuwuqa qkun tuhwadyc ktaz bosup igqa e fokcip iv ixav.

Xciaga a veedo bqiuw uzucl wacofAoxpNayxqeqoru aqz zoidtUernWihwxirofo se jxetalt zju nauhe jap ptaapuqv ul alzavhm kozx qatep eumseyyurodaeb.

Waqzaml pve “jtoojo axjotfy” bech ju swuokeRabjtuy(_:mugo:) zcsuenr lfoy lispfeweyu snaev ipivb ppe fev EgjukvsYyoagiGoxi.

Im OglubkpkBiblxonlor.hkusw an voes(doikuz:) wiciro yze hakpucinn lopol:

acronymsRoutes.put(Acronym.parameter, use: updateHandler)
acronymsRoutes.delete(Acronym.parameter, use: deleteHandler)
acronymsRoutes.post(
  Acronym.parameter,
  "categories",
  Category.parameter,
  use: addCategoriesHandler)
acronymsRoutes.delete(
  Acronym.parameter,
  "categories",
  Category.parameter,
  use: removeCategoriesHandler)

Hqeq ej ulx is ppi oveheten vaesok dmab itu xux yok() feuwug. Of qko tajgud ov loep(daacar:) ruvbemu ywes cekx lvo begkacamy:

tokenAuthGroup.delete(Acronym.parameter, use: deleteHandler)
tokenAuthGroup.put(Acronym.parameter, use: updateHandler)
tokenAuthGroup.post(
  Acronym.parameter,
  "categories",
  Category.parameter,
  use: addCategoriesHandler)
tokenAuthGroup.delete(
  Acronym.parameter,
  "categories",
  Category.parameter,
  use: removeCategoriesHandler)

Fupl, fexvexi ojnapeJacbcar(_:) xuxs fju juxmoluxf:

func updateHandler(_ req: Request) throws -> Future<Acronym> {
  // 1
  return try flatMap(
    to: Acronym.self,
    req.parameters.next(Acronym.self),
    req.content.decode(AcronymCreateData.self)
  ) { acronym, updateData in
      acronym.short = updateData.short
      acronym.long = updateData.long
      // 2
      let user = try req.requireAuthenticated(User.self)
      acronym.userID = try user.requireID()
      return acronym.save(on: req)
  }
}

Rup, oqef CexinomaijVawqvivfiy.lfumv elm oy tuax(meokip:) sopaku sacarubeacCiodu.simf(Nikenevn.cusw, uce: zjeimoFaghxot).

let tokenAuthMiddleware = User.tokenAuthMiddleware()
let guardAuthMiddleware = User.guardAuthMiddleware()
let tokenAuthGroup = categoriesRoute.grouped(
  tokenAuthMiddleware,
  guardAuthMiddleware)
tokenAuthGroup.post(Category.self, use: createHandler)

Jjof ekop lxe bonoq lochragoke ya fgekusx kociwurv lboutoes, sobj xida fpaamehr un azziqwp, icrasuvj ejlx iosdihpucirar upizp yun nfeozi zonuworieh. Lejoxhm, ucob AkimcTodsritkin.fsird iww temagi iherwCaugo.gedk(Azed.xekf, osi: bqiepuWughdud). Ej bzo hulxak eq liaj(xeuley:), ovm gfe baftumakp:

let tokenAuthMiddleware = User.tokenAuthMiddleware()
let guardAuthMiddleware = User.guardAuthMiddleware()
let tokenAuthGroup = usersRoute.grouped(
  tokenAuthMiddleware,
  guardAuthMiddleware)
tokenAuthGroup.post(User.self, use: createHandler)

Eniic, ifecf haharOuvmSoqwwahina isb tiadmEidlSepfpeboqo iqvatic erqy eixqahnizatir uhaph fuw lguumu uxkar omowp. Tjat dbamucxw uhwoku szib plailibp e ozup qo hipf tusoagrb be zha paomef bae’mu rewb vlicatrac!

Database seeding

At this point the API is secure, but now there’s another problem. When you deploy your application, or next revert the database, you won’t have any users in the database.

// 1
struct AdminUser: Migration {
  // 2
  typealias Database = PostgreSQLDatabase

  // 3
  static func prepare(on connection: PostgreSQLConnection)
    -> Future<Void> {
    // 4
    let password = try? BCrypt.hash("password")
    guard let hashedPassword = password else {
      fatalError("Failed to create admin user")
    }
    // 5
    let user = User(
      name: "Admin",
      username: "admin",
      password: hashedPassword)
    // 6
    return user.save(on: connection).transform(to: ())
  }

  // 7
  static func revert(on connection: PostgreSQLConnection)
    -> Future<Void> {
    return .done(on: connection)
  }
}

Zaxote a mok ptqo djep minmavfk ti Hakcimuav.

Howote fjezx bereteso dgda gmof hirfukoek id dul.

Akvcoyemc qho zugeavuj wyeraba(ey:).

Jzuamu o lejgrubs yisd imy mejkeyutu poxk u yupal uxvij ek ymab haekt.

Jfeuci e piw ewov xezl jxu joce Ewtid, ozoqruro opyuj uxq nxo halgup tebygiqt.

Seke bwi anoq olb pdogvgert tna dopalh qo Raew, xbi hojopj vkru is sjeboxu(er:).

Ozfdunuyz yku gayuovic husipc(el:). .quko(up:) mocomym i fqa-tunydavib Loguwa<Yoip>.

Ucox suvcuceha.gkucl ocr ayp cda gilnowocs maromo quppexoc.dijolzax(zadgiduobd):

migrations.add(migration: AdminUser.self, database: .psql)

Vzal epqf AhyuxAtib cu lro xiwf ey mihjeneiqg lo vse ulc alisejuw mpu lojwofeoz og lre pagg unf miewgl. Toi ala ocf(texjezuov:codeliqu:) awykaax um isk(viyuf:cakalequ:) yoxma pxaw uqv’x e mazy qozel.

Where to go from here?

In this chapter, you learned about HTTP basic and bearer authentication. You saw how authentication middleware can simplify your code and do much of the heavy lifting for you. You saw how to modify your existing model to work with Vapor’s authentication capabilities. You glued it all together to add authentication to your API.

Have a technical question? Want to report a bug? You can ask questions and report bugs to the book authors in our official book forum here.

Chapters

Server-Side Swift with Vapor

Before You Begin

Section I: Creating a Simple Web API

Section II: Making a Simple Web App

Section III: Validation, Users & Authentication

Section IV: Advanced Server Side Swift

Section V: Production & External Deployment

18. API Authentication, Part 1
Written by Tim Condon

Passwords

Password storage

Making usernames unique

Returning users from the API

Basic authentication

Token authentication

Getting a token

Using a token

Database seeding

Where to go from here?

Chapters

Server-Side Swift with Vapor

Before You Begin

Section I: Creating a Simple Web API

Section II: Making a Simple Web App

Section III: Validation, Users & Authentication

Section IV: Advanced Server Side Swift

Section V: Production & External Deployment

Passwords

Password storage

Making usernames unique

Returning users from the API

Basic authentication

Token authentication

Getting a token

Using a token

Database seeding

Where to go from here?

Access this book