REST服务的Codeigniter身份验证密钥 [英] Codeigniter auth key for REST service
问题描述
我正在使用Phil Sturgeon Rest Server编写一个简单的RESTful服务。我想通过使用此库提供的API密钥来保护我的方法。
I'm writing a simple RESTful service, using Phil Sturgeon Rest Server. I want to protect my methods by using the API key provided with this library.
不幸的是,这没有得到很好的记录,我有点迷失了。
Unfortunately, this is not very well documented and I'm a bit lost.
我想对用户(电子邮件/密码)进行身份验证,然后生成一个身份验证密钥以发送其他所有请求。但是似乎我已经需要auth密钥才能生成一个。创建虚拟密钥似乎并不十分安全。抱歉,这是一个愚蠢的问题,但是最佳做法是什么?
I want to authenticate users (email/password), then generate an auth key to send on every other requests. But it seems that I already need the auth key to generate one ... Create a dummy key does not seem very secure. Sorry if it is a dumb question, but what should be the best practice?
推荐答案
如果您熟悉其他API,我会注意到一个常见的模式。我推荐一种身份验证方法,用户通过该方法传递其电子邮件和密码,这将返回生成的唯一身份验证密钥。 auth密钥就像一个会话ID,考虑cookie的工作方式。然后,所有其他API方法都应检查$ this-> post('auth'),然后在处理每个请求之前,需要将其与会话处理程序(即数据库或会话)进行比较。
If you are familiar with other APIs you'll notice a common pattern. I recommend an authenticate method where the user passes their email and password, which will return a generated unique auth key. The auth key would be like a session id, think of how cookies work. Then all the other API methods should check $this->post('auth') and you need to compare this with your session handler (i.e. database or sessions), before you process each request.
好像有很多代码,对吧?
Seems like a lot of code huh? Nope.
所有模型都应具有重载的构造函数:
All your models should have an overloaded constructor:
class MyAPIController extends Rest_controller
{
public function __construct()
{
parent::__construct();
if(!authCheck($this->post('auth'))){
returnFailedResponse();
exit();
}
}
然后正常地编写您的API,例如Phil Sturgeon的网站。
http://net.tutsplus.com/tutorials / php / working-with-restful-services-in-codeigniter-2 /
Then write you API normally, like in the examples on Phil Sturgeon's website. http://net.tutsplus.com/tutorials/php/working-with-restful-services-in-codeigniter-2/
制作一个具有authCheck的模型以测试auth密钥是否有效,并为returnFailedResponse创建方法以返回未经授权的401。
Make a model that has authCheck to test that the auth key is valid, and make a method for returnFailedResponse to return a 401 Unauthorized.
在另一个控制器中,将其称为 Auth,使用上述构造函数。
In another controller, lets call it 'Auth', use the above contructor.
现在,每次对api的调用都应为Auth设置标头。例如‘Auth:12m34k23b’。
Now every call to your api should set a header for the Auth. Ex. 'Auth: 12m34k23b'.
这篇关于REST服务的Codeigniter身份验证密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!