REST API上的CakePHP身份验证 [英] CakePHP Authentication on REST API
问题描述
因此,我正在为正在开发的Web应用程序创建REST API,并且我知道身份验证的基本方法是在每个请求上发送凭据或发送令牌.
So I'm creating a REST API for a web app I'm developing, and I know the basic ways for authentication are either sending the credentials on each request or sending a token.
由于我以前从未使用过令牌,因此我想可以为每个请求发送凭据.关键是我无法在控制器中找到任何有关如何处理此问题的示例.会是这样吗?
Since I have never used token before, I think I may send the credentials for each request. The point is I can't find any examples on how to handle this in the controller. Would it be something like this?
public function api_index() {
if(!$this->Auth->login()) return;
$this->set(array(
'models' => $this->Model->find('all'),
'_serialize' => array('models')
));
}
我真的不认为这是AuthComponent::login()的工作方式,我能在这里找到一些指导吗?
I don't really think this is the way AuthComponent::login() works, can I get some directions here please?
推荐答案
首先,请澄清AuthComponent :: login的工作方式.在Cake 2.x中,该方法不执行任何身份验证,而是在会话中创建Auth.User数组.您需要自己实施实际的身份验证(用户模型很自然地可以做到这一点).基本的身份验证方法可能如下所示:
Alright, first a clarification about how AuthComponent::login works. In Cake 2.x that method does not do any authentication, but rather creates the Auth.User array in your session. You need to implement the actual authentication yourself (the User model is a natural place to do this). A basic authentication method might look like this:
App::uses('AuthComponent', 'Controller/Component');
public function authenticate($data) {
$user = $this->find('first', array(
'conditions' => array('User.login' => $data['login']),
));
if($user['User']['password'] !== AuthComponent::password($data['password']) {
return false;
}
unset($user['User']['password']); // don't forget this part
return $user;
// the reason I return the user is so I can pass it to Authcomponent::login if desired
}
现在,只要加载了用户模型,您就可以从任何控制器中使用它.您可能知道可以通过调用Controller::loadModel('User')来加载它.
Now you can use this from any controller as long as the User model is loaded. You may be aware that you can load it by calling Controller::loadModel('User').
如果要验证每个请求,则应将其放入AppController的beforeFilter方法中.
If you want to authenticate every request, then you should then put in the beforeFilter method of AppController:
public function beforeFilter() {
$this->loadModel('User');
if(!$this->User->authenticate($this->request->data)) {
throw new UnauthorizedException(__('You don\'t belong here.'));
}
}
以上所有条件均假设您每次都传递POST值作为登录名和密码.我认为令牌身份验证绝对是更好的方法,但是对于启动和运行令牌身份验证应该有效.缺点包括每个请求都以明文形式发送密码(除非您需要ssl),并且每次哈希算法的cpu使用率可能很高.尽管如此,我希望这可以使您更好地了解如何使用cakephp进行身份验证.
All of the above assumes that you pass POST values for login and password every time. I think token authentication is definitely the better way to go, but for getting up and running this should work. Some downsides include sending password in cleartext (unless you require ssl) every request and the probably high cpu usage of the hashing algorithm each time. Nevertheless, I hope this gives you a better idea of how to do authentication with cakephp.
让我知道是否需要澄清.
Let me know if something needs clarifying.
更新: 自发布以来,我发现您实际上可以使用不带参数的AuthComponent :: login,但是我不喜欢这样做.从CakePHP文档中:
Update: Since posting this, I found out that you can actually use AuthComponent::login with no parameters, but I am not a fan of doing so. From the CakePHP documentation:
In 2.x $this->Auth->login($this->request->data) will log the user in with
whatever data is posted, whereas in 1.3 $this->Auth->login($this->data)
would try to identify the user first and only log in when successful.
这篇关于REST API上的CakePHP身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
