Building a scalable web app for login/register api in php without using any third-party frameworks or libraries

[sagnik]

Hi, I wat to build a scalable web app for login/register API in PHP without using any third-party frameworks or libraries as well as the API URLs for the app will be as follows:

Signup URL: /user/signup

Signin URL: /user/signin

Profile URL: /user/profile

Update profile URL: /user/profile/update

 

After login/register the app should generate and return the access token which is required to access profile. How can I do it?

[wolstech]

The most secure answer is...you don't. This is one of those things you really should never write yourself, if only for security reasons.

 

The way I would implement this is to get a working login system for one application (your main one), then make that login system compatible with industry standards for extensible login systems. The most common standard for single sign on these days is SAML, which lets you cleanly separate the "identity provider" (the login system and user account database) and the "service provider" (the applications that use those accounts). One identity provider can provide user information for multiple applications, so you can just build the identity provider once, and as you make your apps going forward, your users with an account on app will already have an account that works across all of them.

 

There are several PHP libraries for implementing this (PhpSimpleSaml is probably one of the more well known ones), and it's way too complex to really implement securely without using a library. I failed to follow my own advice back in 2014 when I built my SSO system, and have recently been in the process of ripping it out and replacing it with something more standard...

 

As for URLs, forget about what the URLs look like when developing it, you can always use an .htaccess file later to make them whatever you want.

[sagnik]

I understood what you've said. But the task I've been assigned by an IT company for whom I have given an interview for "Full-stack Web Developer" at first round of the telephonic interview. Now the HR Manager wants me to develop the app for my 2nd round of interview. They have allowed me to use any third-party libraries. But I'm not comfortable with any third-party libraries, that's why I've asked for without any framework or libraries.