PHP/REST-如何实现对API的基于角色的访问? [英] PHP / REST - How do I implement a role based access of my API?

问题描述

我已经开始以API为中心的PHP项目(项目管理项目跟踪工具)，并取得了不错的开端.

I have started a PHP project (A Project Management Item Tracking Tool) using an API centric approach and have made a fairly good start.

到目前为止，我已经创建了2个 GET 方法，我想限制访问权限，但不知道从哪里开始.

I have created 2 GET the methods so far I want to restrict access but don't know where to start.

在我的数据库环境中

• Project 是封装不同操作项的容器.

• 操作项被分配"给用户.

• Project is the container that encapsulates different actionitems.

• Actionitems are 'assigned' to a user.

用户存在于数据库中.

角色分配给用户.( User ， Admin ， Super )

Roles as assigned to a user. (User, Admin, Super)

• 用户只能更新自己的项目

• User can only update their own item

管理员具有创建和更新权限

Admin had create and update privilege

超级用户具有全部管理特权

Super has total administrative privilege

我的问题是:我应该在PHP的何处开始以仅允许通过适当的用户(通过登录api或某些方式)访问api其他手段?任何入门帮助都可以帮助我.

My question is: Where should I start in PHP to only allow accessing the api via proper users, either via a login api, or some other means? Any help to get started would get me going.

首先，我已经成功创建了一个端点，以使用JSON字符串测试响应来访问访问资源(操作项).

To start I have successfully created an endpoint to access access resource (actionitems) using a JSON string to test the response.

我要限制的现有端点

GET /api/actionitems/

具有访问表中特定资源的一般结构，如下所示:

With a general structure to access specific resources within a table as follows:

GET /api/actionitems/4

请注意，应按以下方式访问其他api端点

Note additional api endpoints should be accessed as follows

每条路线最多3个路线令牌(/api/之后)

each route as up to 3 route tokens (following the /api/)

GET /api/users/123/actionitems   (get all actionitems for user 123)


GET /api/users/123/actionitems?<more-filers> applies further filtering

推荐答案

您需要处理API的身份验证和授权.

You need to handle authentication and authorization for your APIs.

这些是了解解决方案的非常基本的步骤:

These are very basic steps to understand the solution:

• 客户端使用用户凭据(用户名，密码)调用登录API.
• 服务器验证用户凭据并生成令牌.
• 服务器将此令牌根据经过身份验证的用户ID存储在数据库中，并响应客户端.
• 服务器已经具有访问数据库中与该经过身份验证的用户相关联的不同API的授权角色权限.
• 客户端使用登录API提供的令牌调用资源API.
• 服务器验证数据库中的令牌，并针对该令牌获取用户和用户角色权限以进行授权.
• 资源API 授权，并根据经过身份验证的用户角色权限提供所需的数据或执行操作.

• Client calls login API using user credentials(username, password).
• Server authenticates user credentials and generates a token.
• Server stores this token in database against authenticated user id and responds to client.
• Server already has authorization role rights to access different APIs associated with this authenticated user in database.
• Client calls resource APIs using token provided by login API.
• Server verify token in database and fetch user and user role rights against this token for authorization.
• Resource APIs authorize and provides required data or perform actions according to authenticated user role rights.

有多种方法可以以标准化的方式实现这一目标:

There are multiple ways to achieve this in standardize way:

• 3种常见的API认证方法
• JSON Web令牌
• oAuth2.0

这篇关于PHP/REST-如何实现对API的基于角色的访问?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！