Making signed requests with CodeIgniter

Recently we’ve done lots of backends for IOS apps, Flash sites, Facebook apps and such. In most cases, it’s just a matter of responding with JSON to a HTTP request, saving or fetching something from a datasource. The problem is that it’s fairly easy to sniff the request, change a few parameters and submit a forged request. Up until now, we’ve done authentication on an ad hoc basis, but last week i whipped up a simple CodeIgniter library to standardize the way we do this authentication. Here it is.

This is how to work it:
1. Place this file in application/libraries/
2. Load or autoload it
3. In your controller, use this to validate a request:

if($this->checksum->validate()){
    # keep calm and carry on
 }else{
    # respond that the checksum was bad
 }

4. Call your controller with ?checksum= or by passing checksum as a post variable.
5. The value of checksum must be calculated correctly on the client side (IOS app/Flash/etc). Bad requests are logged in application/logs, together with the correct checksum for the request.

This is how it works:
The calucation is done like this:
sha1(‘yourcontroller/yourmethod/?fieldstring|salt);

“fieldstring” is all the post or get variables, formatted like name=value&name2=value2&etc
post and get variables must be sorted on key name (using same algorithm as php ksort).

“salt” is the CodeIgniter encryption key, set in application/config/config.php

Gotchas:
– This method allows the same request to be sent again, as long as it looks exactly the same. It’s pretty easy to make this library take current time into account, but would require that your CodeIgniter install and your external app do a little handshake on init, syncing the app’s timestamp to the server’s. Should you need this functionality, just put a time() somewhere in the sha1 in both the lib and the app.
–  We currently only handle the request methods GET and POST. If you need support for more verbs, you are probably capable of adding it yourself, heh.

(If you end up using this: please share your client code, and let me know so i can put up a link to it from here!)