REST API登录方法 [英] REST API Login approach
问题描述
我们正在建立需要所有网页的登录信息的系统。该应用程序设计为使用codeigniter作为 Phil Sturgeon 库的Restful应用程序。此库仅使用API Key通过HTTPS连接上的每个请求发送api调用来授权api调用。
即使它使用双向验证或只有API密钥。我搜索一段时间是以下场景:
- 用户首次请求应用程序(例如: https://www.xyz.com ),那么系统会将其重定向到登录页面以检查凭据
- 用户输入usernam / password并通过POST通过https
-
服务器检查信息是否有效,然后:
-
API KEY应由服务器作为由此用户名标识的资源提供给客户端(这里是问题!!!! )
> - 1)我可以使用会话Cookie并在Cookie中恢复API KEY,然后对每个请求使用此API KEY(这是暴力的无国籍的休息和 2)实际上我不知道其他选项:)如果你能帮助
li> -
例如,当我发现并阅读许多文章时,这将是一个很大的帮助。
:)
由于连接是HTTPS,因此您通过线路发送的任何内容都是安全的(理论上是假设您不是 mitm 'd)。不确定整个API是否通过HTTPS提供(您没有指定),因此即使您可以返回密钥作为登录的一部分(仍在HTTPS的保护下),如果api的其余部分不是HTTPS,密钥可以在下一个请求上被嗅探。
会话和Cookie通常不是RESTful应用程序的一部分; REST是无状态的。
类似旋转键的键会更适合非HTTPS(也适用于HTTPS)。您通过HTTPS登录,服务器返回api密钥,您在下一个请求中使用它,服务器返回新的api密钥,您使用它在下一个请求等。虽然它比单一的api键比非HTTPS更好,它不是完美的。如果有人嗅探了其中一个后续请求的响应,并且没有消耗该密钥,他们可以使用它。这会将攻击向量收缩为从服务器到客户端的非HTTPS响应,因为如果从客户端到服务器的请求被嗅探,api密钥将已被您的合法请求消耗。但是,如果您不通过HTTPS提供api,应该采取更多措施来保护api。
如果是api,我会查看请求签名+ https。这里有一些请求签名的说明: http://stackoverflow.com/a/8567909/183254
客户端上的一个伪代码示例js函数
function get_calendar(){
var key = $('#api_key')。value();
$ .ajax({
type:'get',
url:'/index.php/api/calendar?key='+ key,
success:function ){
//显示日历
// ...
//在id为api_key的隐藏字段中接收到api键
$('#api_key')。value .api_key)
}
})
}
示例控制器方法:
function calendar_get($ api_key =''){
if($ api_key_matches){//验证传入的api键
$ r = array();
$ r ['calendar'] = $ this-> some_model-> get_calendar();
$ r ['api_key'] = $ this-> _generate_api_key(); //生成或获取api键
}
$ this-> response($ r);
}
We are building system that required login information for all pages. the application is designed to be Restful application using codeigniter as Phil Sturgeon library. This library is using API Key only to authorize api calls via sending it with every request over HTTPS connection.
Even if it using 2 way authentication or only API Key. What i am searching for a while is the following scenario:
- User request the application for the first time (ex: https://www.xyz.com) then it will be redirected to the login page to check credentials
- User enter the usernam/password and sent it via POST over the https
Server check if the information is valid then:
API KEY should be provided by the server to the client as a resource identified by this username (Here is the question???!!!)
How to send the API Key to the client in a secure way?
- 1) Could i use session-cookies and restore the API KEY in a cookie then use this API KEY on every coming request (This is violent the Stateless of the Rest and i don't sure if it securely enough).
- 2) Actually i don't know other options :) it's your turn if you could help
If you could give an example it would be a great help as i found and read lots of articles
:)
Since the connection is HTTPS, anything you send over the wire is secure (theoretically and provided you aren't being mitm'd). Not sure if the whole API is served over HTTPS (you didn't specify), so even though you could return the key as part of the login (while still under the umbrella of HTTPS), if the rest of the api isn't HTTPS, the key could be sniffed on the next request.
Sessions and cookies aren't typically part of a RESTful application; REST is stateless.
Something like a revolving key would be better for non-HTTPS (would work with HTTPS too). You login via HTTPS, server returns the api key, you use it on the next request, server returns new api key, you use it on the next request and so on. While it's better than a single api key over non-HTTPS, it's not perfect. If someone sniffs the response from one of the subsequent requests and you don't end up consuming that key, they can use it. This shrinks the attack vector to a non-HTTPS response from server to client since if a request from client to server is sniffed, the api key will have already been consumed by your legitimate request. However, more should be done to secure the api if you aren't serving it over HTTPS.
If it were me, I'd look into request signing + https. There's some talk of request signing here: http://stackoverflow.com/a/8567909/183254
There's also some info on digest auth at the Securing the API section of http://net.tutsplus.com/tutorials/php/working-with-restful-services-in-codeigniter-2/
An pseudo-code example js function on the client
function get_calendar(){
var key = $('#api_key').value();
$.ajax({
type: 'get',
url: '/index.php/api/calendar?key=' + key,
success: function(response){
// show calendar
// ...
// set received api key in hidden field with id api_key
$('#api_key').value(response.api_key)
}
})
}
Example controller method:
function calendar_get($api_key = ''){
if($api_key_matches){//verify incoming api key
$r = array();
$r['calendar'] = $this->some_model->get_calendar();
$r['api_key'] = $this->_generate_api_key();// generate or get api key
}
$this->response($r);
}
这篇关于REST API登录方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
