REST API:我需要对注销操作进行身份验证吗? [英] REST API: Do I need to authenticate log out action?
问题描述
我正在编写一个REST API服务器(使用Rails),这是有关会话管理的问题.
I'm writing a REST API server(using Rails), and here is a question about session management.
我认为对于REST API服务器,我们不需要为每个用户保存登录状态(或会话).因此,我只为每个用户添加一个身份验证令牌.如果他们登录,则该服务器将把此令牌返回给他们,如果注销,则销毁它.
I think for a REST API server, we don't need to save the log in state(or session) for each user. So I just add an authentication token for each user. If they log in, this server will return this token to them, and if log out, destroy it.
我想知道是否有必要验证此令牌销毁操作?可能有一个恶意用户迭代所有可能的令牌(也许!)并将它们包装在对我的服务器的DELETE请求中...
And I'm wondering if it's necessary to authenticate this token destroy action? There might be a malicious user who iterate all possible tokens(maybe!) and wrap them in a DELETE request to my server...
非常感谢!
推荐答案
宁静的Web服务的一个方面是无状态,如维基百科文章.
One of the aspects of restful web services is statelessness as described in the Wikipedia article.
客户端与服务器之间的通信进一步受到限制,因为请求之间没有客户端上下文存储在服务器上.来自任何客户端的每个请求都包含满足该请求所需的所有信息,并且会话状态保存在客户端中.
The client–server communication is further constrained by no client context being stored on the server between requests. Each request from any client contains all the information necessary to service the request, and session state is held in the client.
服务器不应包含有关会话的任何信息,这意味着,身份验证信息必须包含在每个请求中,并且不需要登录或注销方法.
The server should not contain any information about sessions, that means, that the authentication information must be contained in each request and no login or logout methods are needed.
最佳做法是提供一种资源(如某些OAuth2实现),该资源返回具有特殊作用域和到期时间的令牌.在创建过程中,令牌应存储在后端的数据库中.令牌过期后,必须从数据库中删除信息,并且客户端必须获取令牌的新副本.
Best practice would be providing a resource (like some OAuth2 implementations), that returns a token with a special scope and an expiration time. At the creating process, the token should be stored in the database of the backend. After the token expires, the information must be deleted from the database and the client has to obtain a new copy of the token.
更新:
@Ekkehard,这正是我在评论中的意思.令牌不应由带有会话ID,Cookie和会话超时的有状态" http会话使用,而应由其他资源提供.
@Ekkehard, that's exactly what I meant with my comment. Instead of using ‚stateful' http sessions with a session id, cookies and a session timeout, the token should be provided by an additional resource.
[...]在两次请求之间没有客户端上下文存储在服务器上.
[...] no client context being stored on the server between requests.
如果客户端要访问后端的特殊服务,则必须向令牌资源发送POST请求(后端在其中将具有特殊到期时间的新令牌存储在数据库中).
If the client wants to access special services of the backend, it had to send a POST request to the token resource (where the backend stores the new token with a special expiration time in the database).
在POST请求中,客户端还可以提供其他查询参数范围以创建令牌,该令牌仅允许您访问后端的特殊部分(例如Google提供了许多不同的API,例如Google Drive,Google Mail,等等.如果客户端是邮件应用程序,则只需访问Google Mail.这是一项附加的安全功能.)
In the POST request, the client could also provide an additional query parameter scope, to create a token, that only allows you to access special parts of your backend (Google for example provides many different APIs like Google Drive, Google Mail, etc. and if the client is a mail application only access to Google Mail is necessary. It’s an additional security feature.).
响应返回令牌,客户端必须在每个请求的标头中将此令牌添加到其他资源.
The response returns the token and the client had to add this token in the header of each request to other resources.
来自任何客户端的每个请求均包含满足该请求所需的所有信息,并且会话状态保留在客户端中.
Each request from any client contains all the information necessary to service the request, and session state is held in the client.
将基于数据库中存储的信息从后端验证令牌.
The tokens will be verified from the backend based on the information stored in the database.
令牌资源还可以提供DELETE http方法,以允许用户在到期时间结束之前删除现有令牌.过期后,令牌将自动从后端数据库中删除.
Token resources could also provide a DELETE http method, to allow the user to delete existing tokens before the end of the expiration time. After the expiration timeout, the tokens will be automatically deleted from the database of the backend.
这篇关于REST API:我需要对注销操作进行身份验证吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
