如何处理对用 PHP 编写的 API 的授权 [英] How do I handle authorization to an API written in PHP

问题描述

所以我有一个非常简单的服务的想法，它将提供一个 API，我知道如何在 PHP 中编写 REST 风格的 API，但我所做的一切都可以自由访问.对于这个，我想通过密钥/秘密对或基本的 http 身份验证提供访问权限.

So I have this idea for a very simple service that will provide an API and I know how to write REST-ish APIs in PHP but everything I ever done has been freely accessible. For this one I'd like to provide access via either a key/secret pair or basic http auth.

我也不知道该怎么做.

推荐答案

这一切都通过某种形式的 HTTP 标头工作.正常的登录过程通常使用 cookie，因此会发送请求头 Cookie: FOO=owiegwoeugiaweg，服务器接收该请求头.您可以对 API 执行相同的操作，但这通常不是最好的做法.

It all works through HTTP headers in some form or another. A normal login procedure usually uses cookies, so there's the request header Cookie: FOO=owiegwoeugiaweg being sent which the server picks up on. You can do the same for APIs, but it's not usually the best thing to do.

更好的是使用某些标头字段的某种形式的授权，例如 Authorization 标头:

Better is some form of authorization using certain header fields like the Authorization header:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

此标题可以包含您想要的任何内容.您可以使用一些自定义密码散列/密钥交换/任何算法，并要求客户端在 Authorization 标头中发送此信息.如果您愿意，您还可以提出自己的任何自定义标题.

This header can contain anything you want. You can use some custom password hashing/key exchange/whatever algorithm and require the client to send this information in the Authorization header. You could also come up with any custom header of your own, if you like.

对请求进行 REST 完全身份验证的一种好方法是使用请求签名.算法由您决定，但至少应包括当前时间、请求正文和用户特定的密钥，这些密钥被散列在一起以形成签名.

A good way to RESTfully authenticate requests is to use request signing. The algorithm for that is up to you, but should include at least the current time, the request body and a user specific key, which is hashed together to form a signature.

headers:
    Date: Thu, 20 Oct 2011 04:00:48 GMT
    Authorization: MySchema user123:oiquwetfp32900fjp0q93t1039

where:
    Date          = timestamp, must be within 15 mins of server time
    Authorization = MySchema USERNAME:SIGNATURE
    SIGNATURE     = sha1( Date + REQUEST BODY + PASSKEY )

通过这种方式，您实际上是在每次请求时都发送用户的密码，但以不可逆的方式加扰，每个请求都是唯一的，但服务器可以通过重复相同的操作来确认(检查有效时间戳，散列日期标头 + 请求正文 + 用户密码).曾经有很好的文档详细解释了 Amazon Web Services 的这个过程，但我现在找不到了.尝试研究请求签名"以获取更多信息.

This way you're essentially sending the user's passkey with every request, but scrambled in a way that's non-reversible, unique for every request, yet confirmable by the server by repeating the same operations (checking for valid timestamp, hashing the Date header + request body + user's passkey). There used to be good documentation that explained this process in detail for Amazon Web Services, but I can't find it right now. Try researching "request signing" for more information.

在服务器端，您可以在 $_SERVER 数组中找到这些 HTTP 标头.您可以通过 file_get_contents('php://input') 获取的原始请求正文.

On the server side you can find these HTTP headers in the $_SERVER array. The raw request body you can get via file_get_contents('php://input').

这篇关于如何处理对用 PHP 编写的 API 的授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！