Magento 2: How to authorize REST API call of customer after login?

Question

I am using rest API to login in customer account usig the below URL and details:

URL: https://magento.host/index.php/rest/V1/integration/customer/token
Header: "Content-Type:application/json"
Data: "{"username":"customer1@example.com", "password":"customer1pw"}

and successful request returns a response body with the token:

asdf3hjklp5iuytre

As we are now logged in and all the call after login that we need to make using Rest API should use the below format:

URL: http://magento.ll/index.php/rest/V1/customers/me
Header: Authorization: Bearer asdf3hjklp5iuytre 

Now My Question is:

How we will verify that token is valid for other subsequent API call ? How can we get customer details using Token Provided in Header ?

Please explain the flow.

Updated:

When we try to access this below API url with valid Headers, It call getById function of CustomerRepository. But in getById function there is one argument called $customerId. I am not sure how it is coming but In cumstomer module webapi.xml for this function, I found there is way to pass customerId as param and It will not send from requester but Magento set it Internally.

http://magento.ll/index.php/rest/V1/customers/me

vendor/magento/module-customer/etc/webapi.xml

<route url="/V1/customers/me" method="GET">
<service class="Magento\Customer\Api\CustomerRepositoryInterface" method="getById"/>
<resources>
    <resource ref="self"/>
</resources>
<data>
    <parameter name="customerId" force="true">%customer_id%</parameter>
</data>

So I did the same thing, In my function and It is working fine. Here my doubt: Do we don't need to check if token is valid or not ? Is this all managed by Magento Internally ?

Answer 1

So, let's go step by step.

1. You are making a token request using the user credentials: login and password
2. You are getting the generated token back for current user if the credentials are valid
3. Now you are able to make requests to the resources in "self" and "anonymous" scope ("admin" scope is only available for admin users)
4. A GET request to the /rest/V1/customers/me URL with a proper token in the header returns information about current user (the system detects the session by token and returns current user information)

So, you can make any other request allowed for current user using the proper token (retrieved at step 2) in the same way as it is described at step 4. So, the main point here is to pass the proper token in the header for each call you make to the API.

The /rest/V1/customers/me API entry point has "self" ACL access. That means that the customer_id parameter will be retrieved by verifying your token and no additional checks are required. The resources with "self" access are only allowed for current customer and the system will pick up the correct customer based on your token. So, you are not able to set customer_id of another customer while using the resources with "self" access.