PHP REST API认证 [英] PHP rest API authentication
问题描述
我建立了一个PHP应用程序一个宁静的API。目前,该API将只接受和使用JSON回应。请求,路由和响应全部由框架处理,但我需要建立一个自定义的验证机制。
有两个项目,我想在添加额外的安全性,并避免重放攻击:时间戳和随机数
- 除了这两个项目,我想仔细的检查,以确保我没有错过任何东西从一个安全和可用性点真的很明显。
- 如果ENTITY_ID走在了头,而不是要求?
这是我对认证至今:
函数authenticate_request()
{
$ REQUEST = json_de code(的file_get_contents('PHP://输入'));
$ request_headers = apache_request_headers(); 如果(!使用isset($ request_headers ['X-验证'])OR!使用isset($ request_headers ['X-AUTH-哈希'])){
返回false;
} $ USER =用户:: get_by('PUBLIC_KEY',$ request_headers ['X-验证']); 如果(!$ USER){
返回false;
} //每个请求都必须包含一个有效的实体
如果(使用isset($请求 - > ENTITY_ID)及&放大器; $请求 - > ENTITY_ID大于0){
$这个 - > ENTITY_ID = $请求 - > ENTITY_ID;
}其他{
返回false;
} $实体=实体::发现($这个 - > ENTITY_ID);
如果(!$实体){
返回false;
} //验证哈希
$哈希= hash_hmac('SHA256',$要求,用户可$> PRIVATE_KEY); 如果($哈希!== $ request_headers ['X-AUTH-哈希']){
返回false;
} 返回true;
}
例如卷曲的要求:
$ PUBLIC_KEY ='123';
$ PRIVATE_KEY ='ABC';$数据= json_en code(阵列('ENTITY_ID'=>'3087','DATE_END'=>'2012-05-28'));
$哈希= hash_hmac('SHA256',$数据,$ PRIVATE_KEY);
$头=阵列(
X-验证:'。 $ PUBLIC_KEY,
X-验证散列:。 $哈希
);
$ CH = curl_init(的http://本地主机/ MyApp的/ API /报告/');curl_setopt($ CH,CURLOPT_HTTPHEADER,$头);
curl_setopt($ CH,CURLOPT_POSTFIELDS,$数据);
curl_setopt($ CH,CURLOPT_RETURNTRANSFER,真正的);$结果= curl_exec($ CH);
curl_close($ CH);的print_r($结果);
hash_hmac()预计其第二个参数是一个字符串,你通过你的德codeD 的JSON对象来代替。除此之外,你的做法似乎pretty标准。 ENTITY_ID 也应由HMAC签名的保护,所以我把它放在请求体或您的签名计算将变得更加复杂一点点没有真正的收获。
I'm building a restful API for a php application. At the moment, the API will only accept and respond with json. The request, routing and response is all handled by the framework, but I needed to build a custom authentication mechanism.
There are two items that I wanted to add in for extra security and to avoid replay attacks: a timestamp and a nonce.
- Besides these two items, I wanted a sanity check to ensure that I have not missed anything else really obvious from a security or usability point of view.
- Should the entity_id go in the header instead of the request?
This is what I have for authentication so far:
function authenticate_request()
{
$request = json_decode(file_get_contents('php://input'));
$request_headers = apache_request_headers();
if ( ! isset($request_headers['X-Auth']) OR ! isset($request_headers['X-Auth-Hash'])) {
return false;
}
$user = User::get_by('public_key', $request_headers['X-Auth']);
if ( ! $user) {
return false;
}
// every request must contain a valid entity
if (isset($request->entity_id) && $request->entity_id > 0) {
$this->entity_id = $request->entity_id;
} else {
return false;
}
$entity = Entity::find($this->entity_id);
if ( ! $entity) {
return false;
}
// validate the hash
$hash = hash_hmac('sha256', $request, $user->private_key);
if ($hash !== $request_headers['X-Auth-Hash']) {
return false;
}
return true;
}
Example curl request:
$public_key = '123';
$private_key = 'abc';
$data = json_encode(array('entity_id' => '3087', 'date_end' => '2012-05-28'));
$hash = hash_hmac('sha256', $data, $private_key);
$headers = array(
'X-Auth: '. $public_key,
'X-Auth-Hash: '. $hash
);
$ch = curl_init('http://localhost/myapp/api/reports/');
curl_setopt($ch,CURLOPT_HTTPHEADER,$headers);
curl_setopt($ch,CURLOPT_POSTFIELDS, $data);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
$result = curl_exec($ch);
curl_close($ch);
print_r($result);
hash_hmac() expects its second parameter to be a string, you're passing your decoded JSON object instead. Other than that, your approach seems pretty standard. entity_id should also be protected by the HMAC signature, so I'd keep it in the request body or your signature calculation will get a little bit more complicated for no real gain.
这篇关于PHP REST API认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
