流星RESTful身份验证.是否有可能? [英] Meteor RESTful Authentication. Is it possible?
问题描述
我已经搜索了一下,但是找不到一个令人满意的答案.
I have searched around but cant find an a satisfactory answer to this question.
我有一个流星网站,用户可以登录并创建内容.我还想创建一个能够与网站交互的电话应用程序,并且我希望用户登录到电话应用程序并访问网站上的相同内容.很正常.
I have a meteor website where users login and create content. I also want to create a phone app, that is capable of interacting with the website, and I want the users to log into the phone app and access the same content on the website. Pretty normal.
我创建了一个基本的REST API,用于使用陨石包HTTP.publish
访问集合.它可以在没有任何用户信息(没有身份验证)的情况下正常工作,但是现在我想使用GET方法的userId
以及集合的Meteor.allow规则来访问当前用户.
I have created a basic REST API for accessing the collections using the meteorite package HTTP.publish
. It is working without any user info (no auth), but now I want to use the the userId
of the GET methods and in the Meteor.allow rules of the collections to access the current user.
因此,即使在测试时,我目前仍在努力如何在REST请求中告诉流星,用户ID.我以为我可以在浏览器中获取有效用户的Accounts._storedLoginToken
,并使用它来对CURL进行测试.像
So I am currently struggling with how to tell meteor on a REST request, the id of the user, even while just testing. I thought I could get the Accounts._storedLoginToken
of a valid user in the browser and use that to test with CURL. Something like
curl -H "X-Auth-Token: asdklfjasldfjlsadkjf" -H "Content-Type: application/json" -d '{"name":"A Name","description":"Testing description"}' http://localhost:3000/api/places
我尝试了一下,但是没有喜悦,我得到了至少好于403的代码.
I tried this, but no joy, I get a 403 which is good at least.
我的问题是这个
- 创建的令牌是否特定于客户端(即用主机url或其他内容进行哈希处理)?
- bcrypt是否更改了
X-Auth-Token
的使用方式?如果不是,我在curl命令中做错了什么. - DDP是创建有效令牌的唯一方法,还是可以创建将在服务器上创建令牌的API调用,甚至现在只是传递纯文本凭据?
- Are the tokens created specific to the client (ie hashed with host url or something)?
- Has bcrypt change the way
X-Auth-Token
is used? If not what am I doing wrong in the curl command. - Is DDP the ONLY way to create valid tokens or can I create a API call that will create a token on the server, even just passing plain text credentials for now?
例如/api/login?user=shane&pwd=qwerty
=>返回token
我可以在curl请求中使用.
eg /api/login?user=shane&pwd=qwerty
=> return token
I can use in curl request.
我真的很坚持这一点,所以任何指向正确方向的东西都将不胜感激.我还注意到http.publish
尚未创建登录/登出方法,所以也许并不是那么容易.
I am really stuck with this so anything pointing me in the right direction would be appreciated. I also note the http.publish
has not yet created the login/logout methods, so maybe it's not that easy.
推荐答案
几天前,我开始使用对身份验证具有类似要求的应用程序.我发现,Differential的RESTstop2最近在0.6.0版中升级了其身份验证支持,以支持Meteor中新添加的Bcrypt加密.
A few days ago I started on an app with similar requirements regarding authentication. I found that Differential's RESTstop2 recently, in version 0.6.0, upgraded their authentication support to support the newly added Bcrypt encryption in Meteor.
您只需将用户名和密码作为URL参数或正文发送如下:
You simply send username and password either as URL params or body like this:
curl --data "password=testpassword&user=test" http://localhost:3000/api/login/
,服务器将返回以下内容(如果凭据正确):
and the server will return the following (if credentials are correct):
{ success: true, loginToken: "f2KpRW7KeN9aPmjSZ", userId: fbdpsNf4oHiX79vMJ }
在您对服务器的每个请求中,都将loginToken和userId作为标头.
On each request you make to the server, include the loginToken and userId as headers.
您应该检查一下:
文档: http://github.differential.io/reststop2/
Github:: https://github.com/Differential/reststop2
这篇关于流星RESTful身份验证.是否有可能?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!