How would you go about authentication for sharing classes between a public api and site?

So right now I have, for example, a class setup for users:

userClass.php

class User {
    s开发者_Python百科tatic functionlistAll($params) {
        return (Array of all users);
    }
}

it is used for the api:

/api/users.php

include('userClass.php');
echo json_encode(User::listAll($_GET));

and then the class is also used internally for the site as well.

Now it gets more complicated when authentication is required. The id of the user logged into the site is stored in $_SESSION['uid'], and each app that authenticates with it is granted an access key. How would authentication work for a class setup such as this?

Do you really want to create an API that can list all users on your website? This doesn't seem like a good idea. But as for the authentication bit, that can be quite tricky to get right, and shouldn't be rushed. Simply storing a unique ID is a bad idea, because then all it takes is for someone to change the ID, and voilla, they can authenticate as somebody else. Your basic idea is right, but you need some sort of digital signature (that differs from user to user) that proves that your website set the ID, and not some hacker trying to authenticate as somebody else. You probably want to change this signature frequently, so that even if someone captures a transaction with your website, they can't forge the ID.

Even better than manually authenticating, though, why not let someone else deal with it? One of the worst things about today's websites is having to create a new username and password. Why not use OAuth and FacebookConnect, and then any user who has a Google Account, a Facebook Account, or any OpenID account can automatically sign into your website using their pre-existing credentials.