如何保护我的API [英] How to secure my API
问题描述
我正在开发一个API,用于自己的公司,这个API将是由
I'm developing an API for my own company, this API is going to be consumed by
- 我的网站
- 我的iOS应用
- 我的Android应用
- 第三方集成
现在,我的问题是,如何设计验证系统,使我的网站和应用程序可以消耗pretty大部分的API,但第三方开发者整合的每个端点只允许消耗,我定义的端点。
Now, my questions is, how to designed the authentication system so that my website and apps can consume pretty much every endpoint of the API but the 3rd party developers integration are only allow to consume the endpoints that I define.
我不要求特定的code,只有认证流程的总体思路来处理这个问题。
I'm not asking for specific code, only a general idea of the authentication flow to handle this.
感谢
推荐答案
喜欢的东西设计(最流行的)或其他COM prehensive认证框架将是最好的处理实际验证。该框架包括有问题的情况下,个别开发商可能没有想到的。根据需要账户,在服务器端能识别供应商(有一个作者,一个用于每个第三方集成)或个人用户。将有限定的至少2角色,一个用于完全访问以及一个或多个为有限访问(每个组不同的端点的访问是允许的),具有被分配取决于供应商提供的角色(用于单个用户的每个帐户账户第三方整合正在使用的帐户创建时将被传递给认证系统,所以正确的角色可以设置)的供应商。然后每个端点会检查分配给该用户的角色,并允许或拒绝访问基于该作用。应用程序控制器类A before_action 过滤器会自动应用在所有的控制器和行动,办理入住手续,提供给参与认证控制器(S)例外,以允许AS-yet-未经身份验证的用户进行身份验证。
Something like Devise (the most popular) or another comprehensive authentication framework would be best to handle the actual authentication. The frameworks cover problematic cases an individual developer might not think of. Depending on needs "account" on the server side could identify the vendor (with one for the author and one for each 3rd party integration) or individual users. There would be at least 2 roles defined, one for full access plus one or more for limited access (one for each different set of endpoints access to is allowed), with each account being assigned a role depending on the vendor (for individual-user accounts the vendor of the 3rd-party integration being used would be passed to the authentication system during account creation so the correct role could be set). Each endpoint would then check the role assigned to the user and allow or deny access based on that role. A before_action filter on the application controller class would apply that check across all controller and actions automatically, with exceptions applied to the controller(s) involved in authentication to allow as-yet-unauthenticated users to authenticate.
这篇关于如何保护我的API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
