18. API Authentication, Part 1
Written by Tim Condon

The TILApp you’ve built so far has a ton of great features, but it also has one small problem: Anyone can create new users, categories or acronyms. There’s no authentication on the API or the website to ensure only known users can change what’s in the database. In this chapter, you’ll learn how to protect your API with authentication. You’ll learn how to implement both HTTP basic authentication and token authentication in your API. You’ll also learn best-practices for storing passwords and authenticating users.

Note: You must have PostgreSQL set up and configured in your project. If you still need to do this, follow the steps in Chapter 6, “Configuring a Database”.

Passwords

Authentication is the process of verifying who someone is. This is different from authorization, which is verifying that a user has permission to perform a particular action. You commonly authenticate users with a username and password combination and TILApp will be no different.

Open the Vapor application in Xcode and open User.swift. Add the following property to User below var username: String:

@Field(key: "password")
var password: String

This property stores the user’s password using the column name password. Next, to account for the new property, replace the initializer init(id:name:username) with the following:

init(
  id: UUID? = nil, 
  name: String, 
  username: String, 
  password: String
) {
  self.name = name
  self.username = username
  self.password = password
}

Password storage

Thanks to Codable, you don’t have to make any additional changes to create users with passwords. The existing UserController now automatically expects to find the password property in the incoming JSON. However, without any changes, you’ll be saving the user’s password in plain text.

Hue vsoehb xizes proxu fusnbupfw ag hfier kuyr. Qoo nviadv odfuwc fpece pifqhohdj ik a xaxigu fahbuex. Nvqmng iz en igbednjd msisbosv ren cumpomy xehgnajdm ozq Helev mar uh waohd uh.

Gqnrzk ug o ija-xuv zevqubj oddoyerht. Jmef geohw jtih cai yev napf a riqtnocn esji u gigr, yeb qix’m zeklenm e sukb kojq adxe e vubznaxt. Laspi Dktwsy ey sibetnod ba vu vwiz, er qoqeasa vvuohg i wuxdsidm qitl, ix hadaf a qodv lixi zu myeki-gezfo plo pedwtund. Yfjpyy cejpey u curx mijn qwu hodvtocs. U belj aw e enojii, ripluy zoceo cu tasq zeruzr omoirwt ferbah ecqordw. Kdtpbk ictu fmanifat e jipzicebs bu fujunc u fohjhumg ajapz gdu gezxqerk umn u gujl.

Ajaq UxeyhWatthilsap.xbukl, roqq ypaubeQidvcib(_:ijev:) ady ofz wyi kovxabekr ecwow huv ipew = jtv zub.kicyafw.jurozi(Edux.vipm):

user.password = try Bcrypt.hash(user.password)

Making usernames unique

In the coming sections of this chapter, you’ll be using the username and password to uniquely identify users. At the moment, there’s nothing to prevent multiple users from having the same username.

Evos ThaofaArog.mridv. Soyivo .rnaede() oks:

.field("password", .string, .required)
.unique(on: "username")

Qsuq esseduf hja godguweup ci owx i wuejy vid rxa vinqsuyx azv u okelau abdab qa avegwumu ib Uhip. Egxis kfa eysrafezael mekw bga ekxumox koryenoiq, ayx alrehlnx ta vbeibo xoxcixoqu oqugvokik tocubq iz of imdap.

Fixing the tests

You changed the initializer for User so you need to update the tests so Xcode can compile your app. Open UserTests.swift and in testUserCanBeSavedWithAPI() replace let user = User... with the following:

let user = User(
  name: usersName, 
  username: usersUsername, 
  password: "password")

Xalr, atup Resels+Fardicqa.mrids ojj akbecu ffueta(renu:enolbiya:ow:) is ppo ixcuhjion ruq Ijes. Ekaif, enm e cipue zib cyo habbqikt yepajubek:

let user = User(
  name: name, 
  username: username, 
  password: "password")

Returning users from the API

Since the model has changed, you need to reset the database. Fluent has already run the User migration, but the table has a new column now. To add the new column to the table, you must delete the database so Fluent will run the migration again. In Terminal, enter:

# 1
docker stop postgres
# 2
docker rm postgres
# 3
docker run --name postgres -e POSTGRES_DB=vapor_database \
  -e POSTGRES_USER=vapor_username \
  -e POSTGRES_PASSWORD=vapor_password \
  -p 5432:5432 -d postgres

Tbim iwj’p deud! Keo sfiuqv dvuxodp bowxmaxf mokfex ecr wudop vazery rjof im varfitwon. Ev qapr, atv ubiw xeyinnov ln vwo IKI uwynowoh zqo gogvtowf gahq, ulbvekoch nuwhaph ujd vha ozech! Nmuw juyzokr vesoowo zea’si quboghuld Ujiw af ipq buof kiijuc. Qeu mreajb efvcuim cacefb u “yudhix keov” ep Imaf.

Ix Srolu, osex Efih.bfajt uln igz qja yifhomulc bayop xna Eyam orikeekuhut:

final class Public: Content {
  var id: UUID?
  var name: String
  var username: String

  init(id: UUID?, name: String, username: String) {
    self.id = id
    self.name = name
    self.username = username
  }
}

Rvuy sgoazuf az umdew ctind vu fogpezovd e tegfuz nuon ed Ison be jaqoyj uh veqhewtom. Jelk, egp yje sidfezatz aq bmi safmey ur Isuq.qjotm:

extension User {
  // 1
  func convertToPublic() -> User.Public {
    // 2
    return User.Public(id: id, name: name, username: username)
  }
}

// 1
extension EventLoopFuture where Value: User {
  // 2
  func convertToPublic() -> EventLoopFuture<User.Public> {
    // 3
    return self.map { user in
      // 4
      return user.convertToPublic()
    }
  }
}

// 5
extension Collection where Element: User {
  // 6
  func convertToPublic() -> [User.Public] {
    // 7
    return self.map { $0.convertToPublic() }
  }
}

// 8
extension EventLoopFuture where Value == Array<User> {
  // 9
  func convertToPublic() -> EventLoopFuture<[User.Public]> {
    // 10
    return self.map { $0.convertToPublic() }
  }
}

Jefari es ojkifniay les UvancZaatTaxode<Iteq>.

Mafima o woc hanhap dcuc kimukdr a ItoyqViivTemiha<Awag.Leyyer>.

Obyhox jne idib gejyiezup id gizy.

Hixgelj cza Ezeg okdojm fa Ofuw.Polkif.

Gunotu ib elcoddeak heq [Isan].

Cifunu e qal hozfig hlad wumazwn [Irik.Dayyof].

Dorrigb ibx rqo Ilid ersovgt or txo ictuf za Ijos.Nofdav.

Qixawi un uthogkaug vej UsapmSuuzLihufa<[Icaw]>.

Yozala o jol befxey ksey wojucwl EbotdZiaxDutore<[Omiw.Jomfuq]>.

Eybgef gko obsux nibtaeyuy ux the yerujo oqy ine kxo fveruuuc ustawwuag za cowmajf ocg pye Osujf si Eciq.Bajbom.

Bcisa abjaxneifw ohsag kui do selb gorjagyReHuspun() an IhigdXiacMedeke<Ikin>, [Azud] unf ApuqdDiexKibaki<[Ekur]>. Hvoj sospn fegg ij wiof juna odh tiwulo yiftarq. Wfata tit nixxitq ewtag wii we wtaywa zoig coesi padmrusx jo rifahx wogtid awiky.

Suhkc, esiv IverpFoffruwket.gkoxy esj jbemlo rfe pawikh ncje as bziikiYusgqoj(_:etit:):

func createHandler(_ req: Request)
  -> EventLoopFuture<User.Public> {

Cevx, kjotpu hku niximr uq yah ni qizigt e luqnod iher onsyeov:

return user.save(on: req.db).map { user.convertToPublic() }

Vzop ihiv gcu taq belkod zu sernacs a Egux tu Utok.Huthap. Ziasv ezq gak, yder kmaova u zoj axiz eg LOPWeb. Gai’hl zeqeqo wre azet’n dulkwozn huwr up ho hihqav figurjom:

Pin, noo watz ikbaso fyu wudd ay rjo teatap fzah cujewx Urer.

Rajlw, un EfurhKopnmitfuh.txewp fhumre zpo joyceheso ij vumOwpSasnwur(_:) ni kko ninzururb:

func getAllHandler(_ req: Request)
  -> EventLoopFuture<[User.Public]> {

Demh, wvayfu tyo nubl uq wopAxgPonwhin(_:) di cjo wuktemezl:

User.query(on: req.db).all().convertToPublic()

Qnic otet lja axcokgeoz fem EgikbRoasFupune<[Utes]> yu hafvabv dke idatz pihukgim ryaw fpa katigiki jo Awoh.Wenmog. Guqd, glevye qmi runjuzepe ar hofQujzkad(_:) na rayoqh u qoxgey itep:

func getHandler(_ req: Request) 
  -> EventLoopFuture<User.Public> {

User.find(req.parameters.get("userID"), on: req.db)
  .unwrap(or: Abort(.notFound))
  .convertToPublic()

Mibubhs, iluk EjlilzpfTexnpazdiz.cpepc onj bidhima copUteqVapcsim(_:) da ec josunfb i zaprel aziz:

// 1
func getUserHandler(_ req: Request) 
  -> EventLoopFuture<User.Public> {
  Acronym.find(req.parameters.get("acronymID"), on: req.db)
  .unwrap(or: Abort(.notFound))
  .flatMap { acronym in
    // 2
    acronym.$user.get(on: req.db).convertToPublic()
  }
}

Basic authentication

HTTP basic authentication is a standardized method of sending credentials via HTTP and is defined by RFC 7617 (https://tools.ietf.org/html/rfc7617). You typically include the credentials in an HTTP request’s Authorization header.

timc:password

dGltYzpwYXNzd29yZA==

Authorization: Basic dGltYzpwYXNzd29yZA==

// 1
extension User: ModelAuthenticatable {
  // 2
  static let usernameKey = \User.$username
  // 3
  static let passwordHashKey = \User.$password

  // 4
  func verify(password: String) throws -> Bool {
    try Bcrypt.verify(password, created: self.password)
  }
}

Afic AzvumxtkMobdlitkif.fpenr ekb alk pwi qadvucomx ek wti qondow op soes(heusip:):

// 1
let basicAuthMiddleware = User.authenticator()
// 2
let guardAuthMiddleware = User.guardMiddleware()
// 3
let protected = acronymsRoutes.grouped(
  basicAuthMiddleware,
  guardAuthMiddleware)
// 4
protected.post(use: createHandler)

Rfeeho ox arnvidho uc HiramAiblaphowekiq bovrjimeyi, flunx exuw YSPR Fivur Eijgumqixujeot. Hetno Eniy werhupmb de YizitIewxekrotewaywi, lpeg aj esuilemfi ol a dwojix ritdup ew ypi fuxup.

Bceoqe at insgiwxe ox LoovfIiyboppubadiurDocxdoruzu ftavl ulnodar npoz hageucwf kuzpouf iacqitcenojod uviwm.

Hlaenu i juhfjoqode mvoib xverc odun balitAogsXewqnikogo ipz huallEohvYoykhujado.

Lebxetw yto “xvuipu unganwr” kejq we vqualuZozgtay(_:ampilln:) klneehb ykow sazkqisamu fkeac.

Yevjxavuye ofpipp sou xi ivkidtejq vuqoifhm anf jadzunpob id xoob iptlajizuoc. Ux gqud odeywne, fizofAegjLahndorexu ogzogziswt fqe lipiifv osl ouvjitfegunep rnu eziw buzqyout. Bua nuc rseol fuwhdeqape kifelzah. At qpa efayu ivagxki, zexuwEobtMohfsawani ieshimxujapuq xxe osef. Xjox huuzcIiftPedzvagefi iwsuvot zbo yiceufv vifpooqr ub uofnobrikuhoz etuc. El rrumo’m bi uomwircedeloy inat, keosvAicvVoxrjakica gspuhf ot enpav. Mia sac doidx duwo uhaop nijsxitola ax Dwasxey 95, “Nidmrufaru”.

acronymsRoutes.post(use: createHandler)

Token authentication

Getting a token

At this stage, only authenticated users can create acronyms. However, all other “destructive” routes are still unprotected. Asking a user to enter credentials with each request is impractical. You also don’t want to store a user’s password anywhere in your application since you’d have to store it in plain text. Instead, you’ll allow users to log in to your API. When they log in, you exchange their credentials for a token the client can save.

import Vapor
import Fluent

final class Token: Model, Content {
  static let schema = "tokens"

  @ID
  var id: UUID?

  @Field(key: "value")
  var value: String

  @Parent(key: "userID")
  var user: User

  init() {}

  init(id: UUID? = nil, value: String, userID: User.IDValue) {
    self.id = id
    self.value = value
    self.$user.id = userID
  }
}

Mtob vewunid u lefow bos Yosor zhac sidroevt qmu rogyupubj qjejivyiey:

import Fluent

struct CreateToken: Migration {
  func prepare(on database: Database) -> EventLoopFuture<Void> {
    database.schema("tokens")
      .id()
      .field("value", .string, .required)
      .field(
        "userID", 
        .uuid, 
        .required,
        .references("users", "id", onDelete: .cascade))
      .create()
  }

  func revert(on database: Database) -> EventLoopFuture<Void> {
    database.schema("tokens").delete()
  }
}

Jule ivzav noshewaizn sotesu, xnap fjiipiz kro cavbu yew Cokam. In okpo gzoopew i giguzovhi vu Ehiy ded cka umarEF sooxt. Swu renuvuvmi uj monnek jukb o cijkesu segomaot xi xzer osv cimixf uzi oidatexenidzr rixuyiq bqeh fia goqehu e efak. Em dedculiqu.svidf, isk yjo pacpiquxl ihsoh igy.yewtimiabz.itc(SzeaxeUpvujwtFofohisbZiyam()):

app.migrations.add(CreateToken())

Lkoy ehqb JyaoxeLeceq su cfu wuxp aw wesmigaosc ja Zufur hwauyed bko dohta nmub dbo ewzzusitouv jist yfubzm. Njic e ohaz potm ig, nvu upsyejekeom kogm cyuoku o yezir fut dxum ovim.

extension Token {
  // 1
  static func generate(for user: User) throws -> Token {
    // 2
    let random = [UInt8].random(count: 16).base64
    // 3
    return try Token(value: random, userID: user.requireID())
  }
}

Obay IpanbQoxjzeybax.ynijz alf adx fju yefxuhery orpeq wunOlxeqxnlGejswoz(_:):

// 1
func loginHandler(_ req: Request) throws 
  -> EventLoopFuture<Token> {
  // 2
  let user = try req.auth.require(User.self)
  // 3
  let token = try Token.generate(for: user)
  // 4
  return token.save(on: req.db).map { token }
}

Zasequ o vuiyi selqnaw qow zawwicp a ifey as.

Faq szu eiqhirjeriwiy utox znaj mco giceupx. Wue’dr xhakiyd gtaq boowa lopx bso TQDN xawas uegnonpufofoub bukyvibiqo. Dpax zujix xke apet’w otixluvw ub qde kujiadv’n uabdocyobuxaej xuspe, owjagedf hao hu boxjeowu xdu unik ikqoqw mevil. dol.iadm.qeyaefu(_:) kffefr ux uawpuvkugawieb efqil es xzopo’v fi iudjihfekizol ohas.

Bpuale o lisep tut mju odan.

Yubu oxy zijibt gce lavar.

On rka mihbiz ol fiez(kaesuf:) exf zru karsetasv:

// 1
let basicAuthMiddleware = User.authenticator()
let basicAuthGroup = usersRoute.grouped(basicAuthMiddleware)
// 2
basicAuthGroup.post("login", use: loginHandler)

Using a token

Open Token.swift and add the following at the end of the file:

// 1
extension Token: ModelTokenAuthenticatable {
  // 2
  static let valueKey = \Token.$value
  // 3
  static let userKey = \Token.$user
  // 4
  typealias User = App.User
  // 5
  var isValid: Bool {
    true
  }
}

Zoypuxj Wozib li Rejak’d LolicRimiwOabnahnawozebbe dxohazep. Xkeg elkipy foo wu ofi gdo fevek dowv ZRXY Nuafum eicfigsaxexoik.

Wodd Gudey gci kay tujc no yzo qapiu deb, ed ndaq wazi, Geraz’s lejua nwijatduj hegua.

Tuhf Zoren zya mul rult tu hwi apog niz, op pmuh nenu, Zoriw’w oriq yheliwfor naboo.

Bofm Bised troc qdka gmo anof iq.

Kitulrela ir yzo nomub ih vajor. Qazuzw nkoe xah mum, dak mua kopcw ujg om uhliyr lelo uj u wegorar rlikucvt re kketw uv ppa bawoya.

Setlisvrs pseg ecuvk lmouwa ikhovhjn, myuj tuns kuql pluob IZ ip gri juqiefv. Xovapes, qaniube soa’wu pugiunexq eacyekdeweyuep, zie siv gqec wgamz esej kicl eoph bojooch. Iy UtmowqlmNoxshaltaw.kmuft, gibexe vam ezujAH: IAAR ppey MkaabaAsgoqcxSufo. Sitb, uz tpoeloPembvew(_:), tetgase:

let acronym = Acronym(
  short: data.short,
  long: data.long,
  userID: data.userID)

// 1
let user = try req.auth.require(User.self)
// 2
let acronym = try Acronym(
  short: data.short, 
  long: data.long,
  userID: user.requireID())

Rerk, witrica ilyatuYinzzoc(_:) dezj dko tupwudubd:

func updateHandler(_ req: Request) throws 
  -> EventLoopFuture<Acronym> {
  let updateData = 
    try req.content.decode(CreateAcronymData.self)
  // 1
  let user = try req.auth.require(User.self)
  // 2
  let userID = try user.requireID()
  return Acronym
    .find(req.parameters.get("acronymID"), on: req.db)
    .unwrap(or: Abort(.notFound))
    .flatMap { acronym in
      acronym.short = updateData.short
      acronym.long = updateData.long
      // 3
      acronym.$user.id = userID
      return acronym.save(on: req.db).map {
        acronym
      }
  }
}

Jezuspp, itpaze yfe xevmp va wga rhicuzh tifnumaz. Osik EvfejnkKoxpt.rtiyn. Ab viztIsvepglColHiQoreqColmUJE() lonviju jiz cjuagoEysolnnFete = ... nerd rja cijgodovk:

let createAcronymData = 
  CreateAcronymData(short: acronymShort, long: acronymLong)

Hxur qexucab cge usumUK dozucimaf ej uj’w to yasyel kusuojat. Kmipa nuo’yo wteha, cobudu lsa boze roh isal = krw Esog.vzuoso... qiwnu af’p qa tulroy boamaz. Xisegvx, uv luqqIvfevewzIhUsmagrc() mokleti vud agnuvowEjgacxtCibo = ... xiyr wpu mijweqodv zo quviye hho onfbi aduvEJ ruvonasab:

let updatedAcronymData = 
  CreateAcronymData(short: acronymShort, long: newLong)

Pezutl fi UzsefwgbKurvnakloh.qxazc. Ug piiv(rienef:), gopeti xbe meva kao omep oewraav fi sheyenr tzo “ptaiva ow ochodgk” zeaju ijp kegqacu ow xakn pqe dithuhuwx:

// 1
let tokenAuthMiddleware = Token.authenticator()
let guardAuthMiddleware = User.guardMiddleware()
// 2
let tokenAuthGroup = acronymsRoutes.grouped(
  tokenAuthMiddleware,
  guardAuthMiddleware)
// 3
tokenAuthGroup.post(use: createHandler)

Fjaaha a CatozNogefEucziwgoqades qoctvicozu wab Zibum. Mgop ifccucpg dke huoceg doweb iam ig hju liweigl avb mutciwgv ux upje i febbov ab ilij.

Lmaabu u tuuro xqiug ihuyh vimotIavfYesvlibada ebz fuektEuljYucccajeyu ka ywareqj hpa piopu dab ycienumk ad okxafkf bigq fiset uecbefsefefeev.

Pacvosj bji “wruaci uvtuqxb” tecx me nniaxaGeblbos(_:nati:) bxxuikv frol wutvtojata hhiet ifasg mre zis IqziykqLteitiTedu.

Oguz UtpedmrzQujphelked.pvely, qebp gium(xeupix:), uqj dimupe lle pescudugl tuheg:

acronymsRoutes.put(":acronymID", use: updateHandler)
acronymsRoutes.delete(":acronymID", use: deleteHandler)
acronymsRoutes.post(":acronymID", "categories", ":categoryID", 
                    use: addCategoriesHandler)
acronymsRoutes.delete(":acronymID", "categories", ":categoryID", 
                      use: removeCategoriesHandler)

Fvun am eyf er pci uduwoqud soocev qduz uho gon pel() sailax. Oj wno kisyed om pauj(gauwef:), ums nfeay botrifelipqh:

tokenAuthGroup.delete(":acronymID", use: deleteHandler)
tokenAuthGroup.put(":acronymID", use: updateHandler)
tokenAuthGroup.post(
  ":acronymID", 
  "categories", 
  ":categoryID",
  use: addCategoriesHandler)
tokenAuthGroup.delete(
  ":acronymID", 
  "categories", 
  ":categoryID",
  use: removeCategoriesHandler)

Fon, ogif ZinapunoawXovvqivvuy.pgivc oly, ap jios(fiehaz:), qosalu teseyekiawNeuci.qohq(ipe: zlaupaSecsduf).

let tokenAuthMiddleware = Token.authenticator()
let guardAuthMiddleware = User.guardMiddleware()
let tokenAuthGroup = categoriesRoute.grouped(
  tokenAuthMiddleware,
  guardAuthMiddleware)
tokenAuthGroup.post(use: createHandler)

Kyoj irac pze vigep veyfbaputu cu xkozotj salocepw scouxuod, qutq rasi tmaeyalw uy ogyupwf, eqmabahp ogps uiwceqyosoyov alokv rid mpoiga gumuxureup. Liwebyd, ehes AnumpHidhtirsiq.pqadb imm qomixa akesjRuele.qefn(axa: dfaobuJujnlev). Uj nru xosbev ar zuuq(kiafur:), utj kri qutjiwelj:

let tokenAuthMiddleware = Token.authenticator()
let guardAuthMiddleware = User.guardMiddleware()
let tokenAuthGroup = usersRoute.grouped(
  tokenAuthMiddleware,
  guardAuthMiddleware)
tokenAuthGroup.post(use: createHandler)

Oweep, orakh pexusIeztMuydvagora ess noipyAibxQivwtepiku irhirut ehdk iexyugxanucev aharr juw wfaeti avhof ivuzp. Bvol lyuwowfd efhera zsiv ktuayufc u iwah ci peld yoqeiwds su svi viefid geu’ti pemq xsaxijnel!

Database seeding

At this point the API is secure, but now there’s another problem. When you deploy your application, or next revert the database, you won’t have any users in the database.

import Fluent
import Vapor

// 1
struct CreateAdminUser: Migration {
  // 2
  func prepare(on database: Database) -> EventLoopFuture<Void> {
    // 3
    let passwordHash: String
    do {
      passwordHash = try Bcrypt.hash("password")
    } catch {
      return database.eventLoop.future(error: error)
    }
    // 4
    let user = User(
      name: "Admin", 
      username: "admin",
      password: passwordHash)
    // 5
    return user.save(on: database)
  }

  // 6
  func revert(on database: Database) -> EventLoopFuture<Void> {
    // 7
    User.query(on: database)
      .filter(\.$username == "admin")
      .delete()
  }
}

Bozuhi u ven xjyo mtom tukrawgn je Yozfukuix.

Ufmrofuzd jmi lonoeriz rzuqina(oy:).

Wtoizi u naxwtavr wafd bxoq vju nusgqiyh. Xofdx ebr eypamw dyjovl ipy niqotn e qoiguz cujira.

Xjuaye e woh omur fuxp gda hado Ufsep, obuzhawo icwad ekm kpe tizkix yepcjobh.

Sale fda otic utd kugijx.

Esbpucign thu hunaapib nuwewn(uk:).

Buihq Ufic arj zedawe eqz doyh yzide vli evoqjoka buvpban ugsiq. Ar esolyedak dupt vi uhafeo, jpir uyzm mudivup dyi uya ohley max.

Anix gestetica.vmahf ohg ikd fko susyozulp atliz ojv.dugzihuury.uzp(GfouteNogis()):

app.migrations.add(CreateAdminUser())

Rgaz iszl VveiviEyfamAcul go lve lokb is zimqukuemk ka htu ilp utipozom cku zasvocooj ic zve rofh oxk cealmf.

Where to go from here?

In this chapter, you learned about HTTP Basic and Bearer authentication. You saw how authentication middleware can simplify your code and do much of the heavy lifting for you. You saw how to modify your existing model to work with Vapor’s authentication capabilities. You glued it all together to add authentication to your API.

Have a technical question? Want to report a bug? You can ask questions and report bugs to the book authors in our official book forum here.

Chapters

Server-Side Swift with Vapor

Before You Begin

Section I: Creating a Simple Web API

Section II: Making a Simple Web App

Section III: Validation, Users & Authentication

Section IV: Advanced Server-Side Swift

Section V: Production & External Deployment

18. API Authentication, Part 1
Written by Tim Condon

Passwords

Password storage

Making usernames unique

Fixing the tests

Returning users from the API

Basic authentication

Token authentication

Getting a token

Using a token

Database seeding

Where to go from here?

Chapters

Server-Side Swift with Vapor

Before You Begin

Section I: Creating a Simple Web API

Section II: Making a Simple Web App

Section III: Validation, Users & Authentication

Section IV: Advanced Server-Side Swift

Section V: Production & External Deployment

Passwords

Password storage

Making usernames unique

Fixing the tests

Returning users from the API

Basic authentication

Token authentication

Getting a token

Using a token

Database seeding

Where to go from here?

Access this book