流星RESTful身份验证.是否有可能? [英] Meteor RESTful Authentication. Is it possible?

问题描述

我已经搜索了一下，但是找不到一个令人满意的答案.

I have searched around but cant find an a satisfactory answer to this question.

我有一个流星网站，用户可以登录并创建内容.我还想创建一个能够与网站交互的电话应用程序，并且我希望用户登录到电话应用程序并访问网站上的相同内容.很正常.

I have a meteor website where users login and create content. I also want to create a phone app, that is capable of interacting with the website, and I want the users to log into the phone app and access the same content on the website. Pretty normal.

我创建了一个基本的REST API，用于使用陨石包HTTP.publish访问集合.它可以在没有任何用户信息(没有身份验证)的情况下正常工作，但是现在我想使用GET方法的userId以及集合的Meteor.allow规则来访问当前用户.

I have created a basic REST API for accessing the collections using the meteorite package HTTP.publish. It is working without any user info (no auth), but now I want to use the the userId of the GET methods and in the Meteor.allow rules of the collections to access the current user.

因此，即使在测试时，我目前仍在努力如何在REST请求中告诉流星，用户ID.我以为我可以在浏览器中获取有效用户的Accounts._storedLoginToken，并使用它来对CURL进行测试.像

So I am currently struggling with how to tell meteor on a REST request, the id of the user, even while just testing. I thought I could get the Accounts._storedLoginToken of a valid user in the browser and use that to test with CURL. Something like

curl -H "X-Auth-Token: asdklfjasldfjlsadkjf" -H "Content-Type: application/json" -d '{"name":"A Name","description":"Testing description"}' http://localhost:3000/api/places

我尝试了一下，但是没有喜悦，我得到了至少好于403的代码.

I tried this, but no joy, I get a 403 which is good at least.

我的问题是这个

• 创建的令牌是否特定于客户端(即用主机url或其他内容进行哈希处理)?
• bcrypt是否更改了X-Auth-Token的使用方式?如果不是，我在curl命令中做错了什么.
• DDP是创建有效令牌的唯一方法，还是可以创建将在服务器上创建令牌的API调用，甚至现在只是传递纯文本凭据?

• Are the tokens created specific to the client (ie hashed with host url or something)?
• Has bcrypt change the way X-Auth-Token is used? If not what am I doing wrong in the curl command.
• Is DDP the ONLY way to create valid tokens or can I create a API call that will create a token on the server, even just passing plain text credentials for now?

例如/api/login?user=shane&pwd=qwerty =>返回token我可以在curl请求中使用.

eg /api/login?user=shane&pwd=qwerty => return token I can use in curl request.

我真的很坚持这一点，所以任何指向正确方向的东西都将不胜感激.我还注意到http.publish尚未创建登录/登出方法，所以也许并不是那么容易.

I am really stuck with this so anything pointing me in the right direction would be appreciated. I also note the http.publish has not yet created the login/logout methods, so maybe it's not that easy.

推荐答案

几天前，我开始使用对身份验证具有类似要求的应用程序.我发现，Differential的RESTstop2最近在0.6.0版中升级了其身份验证支持，以支持Meteor中新添加的Bcrypt加密.

A few days ago I started on an app with similar requirements regarding authentication. I found that Differential's RESTstop2 recently, in version 0.6.0, upgraded their authentication support to support the newly added Bcrypt encryption in Meteor.

您只需将用户名和密码作为URL参数或正文发送如下:

You simply send username and password either as URL params or body like this:

curl --data "password=testpassword&user=test" http://localhost:3000/api/login/

，服务器将返回以下内容(如果凭据正确):

and the server will return the following (if credentials are correct):

{ success: true, loginToken: "f2KpRW7KeN9aPmjSZ", userId: fbdpsNf4oHiX79vMJ }

在您对服务器的每个请求中，都将loginToken和userId作为标头.

On each request you make to the server, include the loginToken and userId as headers.

您应该检查一下:

文档: http://github.differential.io/reststop2/

Github:: https://github.com/Differential/reststop2

这篇关于流星RESTful身份验证.是否有可能?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！