PhoneGap的认证没有用户名/密码 [英] Phonegap Authentication without username/password

问题描述

我有一个PhoneGap的应用程序，我只希望我的应用程序用户访问从那里我得到的数据的API。

i have a phonegap app and i want only my app users to access the api from where i am getting the data.

我使用PHP作为我的后端。

I am using php as my back end.

我所做的就是我创建了一个键，并在认证服务器上的关键。但关键是在应用程序意味着有人可以看看code和计算出密钥并将其作为参数传递和获取我的API，我不想硬codeD

What i did was i created a key and was authenticating the key on the server. But the key is hard-coded in the app meaning someone can look at the code and figure out the key and pass it as a parameter and gain access to my api which i don't want.

此外，该键也可以通过使用一个代理可以看到。

Furthermore the key also be seen by using a proxy.

有没有办法来动态地生成的应用程序和服务器的密钥，因此它通过认证？或者一些其他的方式。

is there a way to dynamically generate the key on both the app and the server so it gets authenticated? Or some other way.

我不希望用户给予任何形式的用户名/密码的。

i don't want the user to give any kind of username/password.

我不希望用户注册或login..the用户在authentication..i没有任何作用正在验证在应用

i don't want the user to register or login..the user has no role in the authentication..i am authenticating the app.

推荐答案

是肯定可以做到这一点，

Yes sure this can be done,

但你之前几件事情应该开始。

But several things before you should start.

• 创建一个新的表，以储存所有的 API密钥这是我们
  将每个用户生成当他们的通过注册
  应用

• Create a new table to store all the api keys which we are going to generate per user when they are registering through the app.

PHP端：

• 抓取用户密码或任何独特的东西如： UDID 的Andr​​iod，IOS中
  他们有限制地访问UDID，你可能需要存储一些
  在钥匙扣独特生成的ID


• 然后当我们在密码和 UDID 你可以把它们
  合（或任何你想要的），并与 SHA1 （或任何加密
  加密算法），并将其保存到 API密钥表


• 每次当请求击中了API时间您可以抢在 API密钥
  从头并验证它与数据库并见。

• Grab users password or any unique thing Eg: UDID Andriod, in IOS they have restricted access to UDID and you might have to store some unique generated id in the keychain.
• Then When we have the password and UDID you can put them together (or anyway you want) and encrypt with Sha1 (or any encryption algorithm) And save it to the api key table
• Every time when a request hit on the api you can grab the api key from the header and validate it with the database and see.

应用程序方面：

• 当用户的登录通过应用如果是的成功
  通过API密钥的用户和保存它的应用对于进一步使用
里面

• 此外，当你去的从API请求数据您可以
  检索存储里面的应用程序在 API密钥，然后把它作为在请求中的标题并发送。

• When the user login through the app if it is successful, pass the api key to the user and save it inside the app for further use.
• Also when your going to request the data from the api you can retrieve the api key stored inside the app, Then put it as a header in the request and send.

一些额外的东西：

• 您也可以创建两面的私钥（服务器和应用程序）
  然后将其存储在 API密钥表和加密的请求
  这是在服务器和应用程序只知道使用私钥
  存储在两侧。


• 您也可以去提前认证例如 的OAuth

• Also you can create a private key on both sides (Server and App) then store it in the api key table and encrypt the request which is the server and app only knows using the private keys stored on both sides.
• Also you can go for advance authentications like oAuth

这篇关于PhoneGap的认证没有用户名/密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！