授权和验证,从JavaScript客户端REST API [英] Authorization and Authentication to REST API from JavaScript Client
问题描述
我建设将从一个JavaScript客户端可以利用一个PHP REST API,和我有一些问题搞清楚如何实现事物的权威性和接入侧。将有将使用我将开发交谈,并与我的应用程序进行交互JavaScript库多个应用程序。我会提供API密钥他们每个人,所以这不是一个问题。
I'm building a PHP REST API that will be utilized from a JavaScript client, and am having some issues figuring out how to implement the auth and access side of things. There will be multiple applications that will use a JavaScript library that I'll be developing to talk and interact with my application. I'll be providing API keys to each of them, so that's not an issue.
在哪里,我开始越来越困惑的是如何对这些网站的用户进行身份验证,以我的应用程序。这似乎是一个坏主意,有这样的外部站点存储我的用户的账号和密码信息;所以,我想我应该有我的JavaScript库,包括登录窗体部件,要求为我的应用程序的用户的帐户信息。
Where I start getting confused is how to have the users on these sites authenticate to my application. It seems like a bad idea to have this external site store my user's account and password information; so, I guess I should have my JavaScript library include a login widget that asks for the user's account info for my application.
如果认证成功那里,因为我用REST API的工作,我需要存储在客户端的cookie或一些检索到的令牌,以便用户不需要登录到我的应用程序再次外部网站的每一页。然而,会发生什么情况,如果用户退出外部站点的,然后在同一浏览器的另一个用户记录?至于我的JavaScript库而言,老用户仍然会登录到我的应用程序,因为cookie /令牌不会有尚未到期 - 我怎样才能清除的cookie时previous用户的会话结束?或者说,我是完全在这里下车了正确的道路?
If authentication is successful there, since I'm working with a REST API, I'll need to store the token retrieved in a client side cookie or something so that the user doesn't need to login to my application again on every page of the external site. However, what happens if the user logs out of the external site, and then another user logs in from the same browser? As far as my JavaScript library is concerned, the old user would still be logged into my application, because the cookie/token would not have expired yet - how can I clear my cookie when the previous user's session ends? Or, am I completely off the right path here?
所以,我想这个过程会是这样的:
So, I'm thinking the process would be something like:
var token; // Some hashed string containing an expiration date and user id
var apiKey = '123abc';
// Read the cookie and check if it already contains the token
token = readCookie('token');
if (token == '') {
// get username and password from user through some prompt
var request_data = {apiKey: apiKey, user: username, pass: password};
$.post('https://service.com/api/user/login', request_data, function(data) {
token = data;
document.cookie = "token=" + token;
});
}
...
var get_data = {apiKey: apiKey, token: token};
$.get('http://service.com/api/<object>', get_data, function(data) {
// Do something with data
});
对不起,这里埋葬在这里的几个问题。我想最主要的是,如果我存储令牌的cookie,我怎么保证它是在用户登录时清除了外部应用程序的?或者,如果我不应该把它存储到一个cookie,我该如何保持客户端知道用户的状态?
Sorry, there's several questions buried in here. I guess the main one is if I'm storing the token to a cookie, how do I ensure that it is cleared when the user logs off of the external application? Or, if I shouldn't be storing it to a cookie, how do I keep the client aware of the user's state?
推荐答案
我建议你阅读本的很好的博客文章有关保护一个RESTful API:)
I suggest you to read this very good blog post about securing a RESTful API :)
注意:我的答案是题外话,因为在博客中提供的解决方案上面不是从JavaScript客户端安全的。事实上,这说明主要是如何保护REST API在服务器端。
Note: my answer is off-topic because the solution provided in the blog post above is not secure from a Javascript client. In fact, it explain mostly how to secure a REST API on the server side.
编辑:上面的链接似乎死了,因为再过几天,这里的archive.org版本:<一href=\"http://web.archive.org/web/20150906064244/http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/\" rel=\"nofollow\">http://web.archive.org/web/20150906064244/http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/
The link above seems dead since a few days, here's the archive.org version: http://web.archive.org/web/20150906064244/http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/
这篇关于授权和验证,从JavaScript客户端REST API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
