Symfony2中从外部Web API存储访问和刷新令牌的位置在哪里? [英] Where to store access and refresh token from external web API in Symfony2?
问题描述
我创建了一个简单的Symfony2项目,该项目允许员工登录并检查新闻和其他内容.然后,我想集成一个外部系统,以显示员工是否在工作.我无法控制其他系统,但是获得了Web API(REST),以便可以检索所需的信息.
I have created a simple Symfony2 project which allows employees to log in and check news and other stuff. Then I wanted to integrate an external system that shows whether the employee is at work or not. I have no control over the other system but I got an web API (REST) so that I may retrieve the information needed.
我决定使用 GuzzleBundle 作为PHP HTTP客户端来获取我需要的信息,因为帖子(stackoverflow)中的答案.
I decided to use GuzzleBundle as the PHP HTTP Client to get the information I need because of the answers in this post (stackoverflow).
因此,我登录了Web API所需的内容:
So I logged in which is required by the web API:
$client = new GuzzleHttp\Client();
$req = $client->request("POST", "https://httpbin.org/login", ['body' => ['user' => 'user', 'pw' => 'pw']]);
$response = json_decode($req->getBody()->getContents());
然后我使用了$ response提供的访问令牌:
And then I used the provided access token from $response:
{
"success": true,
"content": [
{
"accessToken": "x",
"accessTokenExpires": "date",
"refreshToken": "z",
"refreshTokenExpires": "date"
}]
}
要检索所需的信息,
$reqPara = ['body' =>["accessToken" => $at, "department" => $department, "location" =>$location]];
$req = $client->request("POST", "https://httpbin.org/employees/atwork", $reqPara);
$response = json_decode($req->getBody()->getContents());
我得到了我想要的东西:
And I got what I wanted:
{
"success": true,
"content": [
{
"employee": "a",
"status": "at work",
},
{
"employee": "b",
"status": "not at work",
}
]
}
当然,我每次想知道员工是否在工作时都可以登录,但是当我可以使用访问令牌时,这似乎是一种浪费.但是,当访问令牌过期时,我又需要刷新令牌来生成新令牌,但是我应该在哪里存储这些令牌并在以后重新使用它们呢?在数据库或配置文件中?是否存在为此的标准?
And of course I can login each time I want to know if the employees is at work but that seems like a waste when I can use the access token. But then again when the access token expires I need the refresh token to generate new tokens but where do I store these tokens and re-use them later? In a database or config file? Does it exist a standard for this?
推荐答案
Dmitry Malyshenko 回答了我需要做的听到. 很明显,此令牌必须缓存,而不是存储在配置中.如何缓存-完全由您决定..."
Dmitry Malyshenko answered what I needed to hear. "It's obvious that this token must be cached, not stored in configuration. How it would be cached - it totally up to you..."
有效解决方案的示例:
- 存储一些文件
- 存储在数据库中
- 仅存储在内存中(作为 您班级的财产)
- 存储在某些键值存储中(redis, 内存缓存)
- store in some file
- store in a database
- store just in memory (as a property of your class)
- store in some key-value storage (redis, memcache)
我本应该使用 CacheComponent ,但是我目前不在Symfony中进行开发3.1所以我决定将其存储在一个最自然的数据库中.首先,我在mysql数据库中创建了一个包含用户名,密码和令牌的表.然后,我创建了专用于该表的服务.看起来像这样的简化代码:
I would have used CacheComponent but I am currently not developing in Symfony 3.1 so I decided to store in a database which felt most naturally. First I created a table with username, password and tokens in a mysql-database. Then I created a service dedicated to that table. It looks something like this simplified code:
class ExternalSiteService
{
public function getUsername() {
...
}
public function getPassword() {
...
}
public function getAccessToken() {
...
}
public function setAccessToken($newAccessToken) {
...
}
public function getRefreshToken() {
$query="SELECT "
. "eapi.refreshtoken "
. "FROM external_api eapi";
$connection = $this->em->getConnection();
$statement = $connection->prepare($query);
$statement->execute();
$results = $statement->fetchAll();
if ( $results ) {
return $results;
}
return false;
}
public function setRefreshToken($newRefreshToken) {
$query="UPDATE external_api "
. "SET refreshtoken = :new_refreshtoken "
. "WHERE id=1;";
$connection = $this->em->getConnection();
$statement = $connection->prepare($query);
$statement->bindValue('new_refreshtoken', $newRefreshToken);
$statement->execute();
}
}
然后,我在控制器中做了一些逻辑说,如果访问令牌无效,则使用刷新令牌,如果刷新令牌无效,则进行新的登录尝试.如果必须获取新令牌,控制器中的此代码还将令牌存储在数据库中.
Then I made some logic in the controller that says if access token not valid use refresh token, and if refresh token not valid do a new login attempt. This code in the controller also stores the tokens in the database if we have to get new ones.
$eapiService = $this->get('mybundle.service.externalapi');
$reqPara = ['body' =>["accessToken" => $at, "department" => $department, "location" =>$location]];
$req = $client->request("POST", "https://httpbin.org/employees/atwork", $reqPara);
$response = json_decode($req->getBody()->getContents());
if ($response->serverErrorMessage == "Invalid access token.") {
$req = $client->request('POST', "https://httpbin.org/getnewtokens", ['body' => ['refreshToken' => $refreshToken]]);
$response = json_decode($req->getBody()->getContents());
if ($response->serverErrorMessage == "Invalid refresh token.") {
$req = $client->request('POST', 'https://httpbin.org/login', ['body' => ['user' => $user, 'pw' => $pw]]);
$response = json_decode($req->getBody()->getContents());
foreach ($response->content as $contentItem) {
$eapiService->setAccessToken($contentItem->accessToken);
$eapiService->setRefreshToken($contentItem->refreshToken);
}
} else {
foreach ($response->content as $contentItem) {
$eapiService->setAccessToken($contentItem->accessToken);
$eapiService->setRefreshToken($contentItem->refreshToken);
}
}
}
return array('usersatwork' => $response);
我可能还会做些事情来捕捉吞噬的异常.
I will probably also make something to catch exceptions from guzzle.
这篇关于Symfony2中从外部Web API存储访问和刷新令牌的位置在哪里?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!