Zend_Acl and Zend_Auth api key approach

Question

What's a good way to implement api keys for accessing specific controller actions using Zend MVC?

I currently have Zend_Acl in combination Zend_Auth using session cookies, but I want some actions to be crontabbed, while password protected through Zend_Acl + Zend_Auth (Typically an action to read from database etc. to refresh cache).

How can I utilize Zend_Acl to keep track of api keys for login, and read the correct identity/role from Zend_Auth based on these?

Answer 1

Zend_Auth will handle most of the authentication for you. Use something along

$auth = Zend_Auth::getInstance();
if (!$auth->hasIdentity()) {
    //call a custom login action helper to try login with GET-params
}
if ($auth->hasIdentity())
    $identity = $auth->getIdentity(); 
    //...
}

Now you can determine the Zend_Acl_Role based on the identity. I always create a new role for each user and let this role 'inherit' all generic roles that the user actually has.

// specific user with $identity is given the generic roles staff and marketing
$acl->addRole(new Zend_Acl_Role('user'.$identity), array('staff', 'marketing'));

Of course you can retrieve the array of roles from a database. Then you have to specify the rights of each role. You can hard code that or save these information in a database as well.

$acl->allow('marketing',
        array('newsletter', 'latest'),
        array('publish', 'archive'));

In your controller you can now check

$acl->isAllowed('user'.$identity, Zend_Acl_Resource ...)

If you have a more complex access control where the rights depend on the information inside some classes (probably MCV models), have these classes implement the Zend_Acl_Resource_Interface. Then you use this class as a parameter of a Zend_Acl_Assertion and handle the information there.