如何处理授权PHP编写的API [英] How do I handle authorization to an API written in PHP

问题描述

所以我有这样的想法非常简单的服务，将提供一个API，我知道如何编写PHP REST杂交API，但我做过的一切都已经可以自由进出。对于这一次，我想通过无论是键/秘密对或基本的HTTP认证提供访问。

So I have this idea for a very simple service that will provide an API and I know how to write REST-ish APIs in PHP but everything I ever done has been freely accessible. For this one I'd like to provide access via either a key/secret pair or basic http auth.

我不知道该怎么做无论是。

I have no idea how to do either.

推荐答案

它所有的工作通过某种形式的HTTP标头。正常登录过程通常使用cookie，所以有 Cookie的请求头：该服务器拿起上FOO = owiegwoeugiaweg 发送。你可以做的API相同，但它不是通常最好的事情。

It all works through HTTP headers in some form or another. A normal login procedure usually uses cookies, so there's the request header Cookie: FOO=owiegwoeugiaweg being sent which the server picks up on. You can do the same for APIs, but it's not usually the best thing to do.

更好的是使用像 授权某些头字段某种形式的授权 头：

Better is some form of authorization using certain header fields like the Authorization header:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

这头可以包含任何你想要的。你可以使用一些自定义的密码哈希/密钥交换/无论算法，并要求客户在授权头发送此信息。你也可以拿出你自己的任何自定义标题，如果你喜欢。

This header can contain anything you want. You can use some custom password hashing/key exchange/whatever algorithm and require the client to send this information in the Authorization header. You could also come up with any custom header of your own, if you like.

以REST风格请求进行身份验证的一个好方法是使用要求签名。该算法是由你，但应至少包括当前时间，请求主体和用户特定的密钥，该密钥散列在一起，形成一个签名。

A good way to RESTfully authenticate requests is to use request signing. The algorithm for that is up to you, but should include at least the current time, the request body and a user specific key, which is hashed together to form a signature.

headers:
    Date: Thu, 20 Oct 2011 04:00:48 GMT
    Authorization: MySchema user123:oiquwetfp32900fjp0q93t1039

where:
    Date          = timestamp, must be within 15 mins of server time
    Authorization = MySchema USERNAME:SIGNATURE
    SIGNATURE     = sha1( Date + REQUEST BODY + PASSKEY )

这样你重复相同的操作（检查有效的时间戳基本上发送用户的每个请求密钥，但在某种程度上这是不可逆的，为每个请求独特的炒，但可证实的服务器，散列Date头+请求正文+用户的密钥）。曾经有在细节的Amazon Web Services的解释这个过程中良好的文档，但现在我找不到它。尝试研究要求签名的详细信息。

This way you're essentially sending the user's passkey with every request, but scrambled in a way that's non-reversible, unique for every request, yet confirmable by the server by repeating the same operations (checking for valid timestamp, hashing the Date header + request body + user's passkey). There used to be good documentation that explained this process in detail for Amazon Web Services, but I can't find it right now. Try researching "request signing" for more information.

在服务器端，您可以找到 $ _ SERVER 数组中的这些HTTP标头。原始请求主体，你可以通过的file_get_contents获得（PHP：//输入'）

On the server side you can find these HTTP headers in the $_SERVER array. The raw request body you can get via file_get_contents('php://input').

这篇关于如何处理授权PHP编写的API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！