How to add customer authentication to your Magento API

Posted on Tue May 22, 2012 by Jeroen Derks There have been 8 comment(s)

In this post I will provide a simple solution to adding customer authentication to the Magento API. How to add functionality to the Magento API has already been properly documented in the Magento wiki page Creating a custom API or extending the Core API, so we will not dive into that.

The idea is to simply call the same function for login() which would be used in the frontend and then check for customer authentication in every API call that requires customer authentication.

NB: Please note that this post is a work-in-progress, your mileage may vary, so please test thorougly before using this solution in a production environment.

Update: changed to use customer session for storing current website and store.
Please let me know if you find any problems with this solution. Thanks!

Don't forget that you also have to setup API access in the Magento administration area.

First you need to define a function in your API class to handle the customer login:

<?php
/**
 * Custom API model
 */
class MyCompany_MyModule_Model_Api extends Mage_Api_Model_Resource_Abstract
{
    /** @var Mage_Customer_Model_Session */
    protected $_customerSession = null;

    /**
     * Customer authentication.
     *
     * @param   string  $website Website code of website to authenticate customer against
     * @param   string  $username Username of customer to authenticate
     * @param   string  $password Password of customer to authenticate
     * @return  boolean True, if successfully authenticated customer for supplied website; false, otherwise.
     */
    public function login( $website, $email, $password )
    {
        // determine store to login to
        $store = $this->_getStore($website);

        // get customer session object
        $session = $this->_getCustomerSession();

        // authenticate customer
        $authenticated = $session->login($email, $password);

        // return authentication result
        return $authenticated;
    }

    /**
     * Logout authenticated customer, if any.
     * @return boolean True.
     */
    public function logout()
    {
        // get customer session object
        $session = $this->_getCustomerSession();
        
        // logout customer
        $session->logout();

        return true;
    }

Next, you have to check for an authenticated customer in your API functions that require this:

    /**
     * Do something for an authenticated customer.
     */
    public function doSomethingThatRequiresCustomerAuthentication()
    {
        // check whether customer is actually authenticated
        $this->_checkCustomerAuthentication();

        // retrieve customer object
        $customer = $this->_getAuthenticatedCustomer()

        // do something for authenticated customer
        ...
    }

Finally, you have to define the helper functions we have used:

    /**
     * Check whether a customer has been authenticated in this session.
     * 
     * @return void
     * @throws Mage_Core_Exception If customer is not authenticated.
     */
    protected function _checkCustomerAuthentication()
    {
        // get customer session object
        $session = $this->_getCustomerSession();
        
        // check whether customer is logged in
        if ( !$session->isLoggedIn() ) {
            // if customer is not logged in throw an exception
            Mage::throwException(Mage::helper('mymodule')->__('Not logged in'));
        }
    }

    /**
     * Get authenticated customer object.
     * 
     * @return Mage_Customer_Model_Customer Authenticated customer object.
     * @throws Mage_Core_Exception If customer is not authenticated or does not exist.
     */
    protected function _getAuthenticatedCustomer()
    {
        // retrieve authenticated customer ID
        $customerId = $this->_getAuthenticatedCustomerId();
        if ( $customerId )
        {
            // load customer
            /** @var Mage_Customer_Model_Customer $customer */
            $customer = Mage::getModel('customer/customer')
                            ->load($customerId);
            if ( $customer->getId() ) {
                // if customer exists, return customer object
                return $customer;
            }
        }
        
        // customer not authenticated or does not exist, so throw exception
        Mage::throwException(Mage::helper('mymodule')->__('Unknown Customer'));
    }

    /**
     * Get authenticated customer ID.
     * 
     * @return integer Authenticated customer ID, if any; null, otherwise.
     */
    protected function _getAuthenticatedCustomerId()
    {
        // get customer session object
        $session = $this->_getCustomerSession();
        
        // return authenticated customer ID, if any
        return $session->getCustomerId();
    }

    /**
     * Get store object from supplied website code or from register or session.
     * 
     * @param string $code Code
     */
    protected function _getStore( $code = null )
    {
        // get customer session
        $session = $this->_getCustomerSession();

        // if website code not supplied, check for selected store in register or selected website in session
        if ( null === $code ) {
            // try to get selected store from register
            $store = Mage::registry('current_store');
            if ( $store ) {
                return $store;
            }
                
            // try to get selected website code from session
            $code = $session->getCurrentWebsiteCode();
            if ( !$code ) {
                // if no store in register or website code in session, throw an exception
                Mage::throwException(Mage::helper('mymodule')->__('No Store set'));
            }
        }

        // load website from code
        /** @var Mage_Core_Model_Website $website */
        $website = Mage::getModel('core/website')
                        ->load($code, 'code');
        if ( !$website->getId() ) {
            // if unknown website, throw an exception
            Mage::throwException(Mage::helper('mymodule')->__('Invalid Store') . $code);
        }
        
        // get the default store of the website
        $store = $website->getDefaultStore();
        
        // register the current store
        Mage::app()->setCurrentStore($store);
        Mage::register('current_store', $store, true);
        
        // set the current website code in the session
        $session->setCurrentWebsiteCode($website->getCode());
        
        // return store object
        return $store;
    }

    /**
     * @return Mage_Customer_Model_Session
     */
    protected function _getCustomerSession()
    {
        if ( !$this->_customerSession ) {
            $this->_customerSession = Mage::getSingleton('customer/session');
        }
        return $this->_customerSession;
    }

    ...
}

Please let me know if this works for you or not!


This post was posted in Magento, Development

8 Responses to How to add customer authentication to your Magento API

  • Hi Jeroen,

    I'm trying to follow your instructions, though i had a problem with the example given above. I dont really know where to put that file. Is it a file anyway? if so where do i have to place it in the folder structures? What is the name of that file? or are there more files i have to create?

    I have written an extension of an SOAP-API v2 for custommer model and want to use your functions within that API.

    Please drop me some lines if you can help me.

    Thanks!
    Veronika

    Posted on Fri September 21, 2012 at 21:58

  • Hello Veronika,

    If you still need my help, please check the email I sent you. Thanks.

    Posted on Fri October 12, 2012 at 00:35

  • Michal says:

    Hello Jeroen,
    I had problems setting this properly as well. Could you help me and what supposed to be in all required magento configuration files ?

    Posted on Mon January 14, 2013 at 05:11

  • YF says:

    Hi !

    Can you help me, I would like to know the complete structure of the API, because I do not have to run the API.

    thank you very much

    Posted on Wed January 16, 2013 at 14:29

  • Hi YF,

    Please read the documentation at Magento for using the API using the links in the article. That should get you going.
    Good luck!

    Posted on Sun March 10, 2013 at 12:47

  • Zeno says:

    Default Website code is `base` in Magento, you may also find it under

    System -> Manage Stores

    Posted on Sat November 9, 2013 at 08:16

  • mehul says:

    can you send me where to put the code?

    Posted on Mon December 16, 2013 at 14:55

  • DV says:

    Did you continue this project?
    I tried your example...but I get Call to a member function login() on a non-object and I don't get what is wrong.
    Thanks,

    Posted on Tue January 21, 2014 at 22:20

Comments