如何将REST API限制为用户特定的内容 [英] How to Limit REST API to User-Specific Content

问题描述

我使用PassportJS在MEAN堆栈上有一个相当简单的API设置.我在没有安全性(获取通用数据)和用户身份验证(安全信息)的情况下设置路由没有问题.但是，对于授权的基于用户的访问，我似乎找不到最佳实践.

I have a fairly simple API setup on a MEAN stack using PassportJS. I have no problems setting up my routes with no security (grabbing general data) and with user authentication (secure information). However, I cannot seem to find a best practices for granted user-based access.

例如: /api/users/:id是需要身份验证的路由.因此，没有访问令牌就永远无法获取用户信息.

For example: /api/users/:id is a route that requires authentication. So you can never get user information without an access token.

但是，一旦有了令牌，我就可以简单地将其与请求和其他ELSE的ID一起发送，以访问其内容而不是其自身的内容.尽管ID太乱了，但是如果有人从系统中获取一个人的ID，他们只需要使用自己的密码即可访问该数据.

However, once I have a token, I can simply send that with a request and someone ELSE's id to access their content instead of their own. Albeit, the id's are long messy things, if someone where to get a person's ID from the system, they only need their own password to access that data.

我考虑过将令牌保存在称为会话的新集合中，并进行其他验证以匹配令牌/userId组合.但是我不知道这是否是最佳实践.

I considered saving the token in a new collection called sessions and doing additional verification to match the token/userId combo. But I don't know if that's the best practice.

Passport是否可以自动处理，而我错过了那部分?

Does Passport handle that auto-magically and I missed that part?

谢谢， 韦恩

推荐答案

您已经设置了身份验证，因此现在需要实现的是授权.

You already have authentication put in place, so what you now need to implement is authorization.

身份验证:验证身份为真还是假-通常用于验证用户的身份.最常见的是通过用户名/密码组合来实现的，但是相同的原理也适用于其他形式的身份验证，例如秘密问题，秘密链接，生物特征识别等.

Authentication: Validating an identity as true or false—generally used to verify that a user is who he/she says they are. Most commonly achieved through a username/password combination, but the same principle applies to other forms of authentication like secret questions, secret links, bio-metric identification, etc.

授权 指定应该允许用户(具有给定身份)访问哪些资源.

Authorization Specifying which resources a user (with a given identity) should be allowed to access.

(来源: Auth0身份术语表)

如果正确设计了身份验证系统，则会显示呈现的访问令牌，以便被授予对/api/users/:id端点的初始访问权限，这将使您知道哪个用户正在调用您的应用程序，因此现在您需要执行的业务规则是规定用户可以在每个端点上访问哪些数据.

If your authentication system is designed correctly the access token presented in order to be granted initial access to /api/users/:id endpoint will allow you to know which user is calling your application so now what you need to do is implement the business rules that dictate which data can the user access on each individual endpoint.

对于/api/users/:id情况，如果只希望允许用户访问自己的数据，则规则可能很简单，例如检查API路由上请求的用户标识符是否与与访问令牌关联的用户标识符匹配. .鉴于访问令牌需要以不被篡改的方式实现，因此您可以保证只有正确的用户才被授予对数据的访问权限.

For the /api/users/:id case, if you want users to only be allowed to access their own data, the rule might be as simple as checking that the user identifier requested on the API route matches the user identifier associated with the access token. Given that the access token needs to be implemented in such way that it cannot be tampered, you guarantee that only the correct user is granted access to the data.

这篇关于如何将REST API限制为用户特定的内容的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！