没有登录REST API的用户更简单，但它是正确的 [英] REST API without Login for Users is more simple, but is it right

问题描述

我已经在这里学习了很多关于REST的API。我只是来实现，不应该是一个登录包含在一个REST API。请记住，我不是在谈论API登录，一个程序员可能包括与请求的API。我说的是最终用户。举例来说，就没有

I have been learning a lot here about REST APIs. I just came to the realization that there should not be a "login" included in a rest api. Keep in mind that I am not talking about the API login, that a programmer may include with the requests to the api. I am talking about end users. For instance, there would be no

https://api.mysite.com/users/login

或

https://api.mysite.com/users/authenticate

之所以说，是因为REST API不应该关心用户，这并不比其他数据库表或资源中的任何其他记录不同的状态。凡建立在API的顶部可以处理验证他们如何认为合适的。因此，在您的用户表，你可能有一个用户名，密码和hair_color。所以，你可以做一个API调用像

The reason why, is because the rest api shouldn't care about the state of the users, which are no different than any other records in the other db tables or resources. Whoever builds on top of the api can handle authentication how they see fit. So in your users table you might have a username,password, and hair_color. So you can make a api call like

method: GET
url: https://api.mysite.com/users
http body: {"username":"foo","password":"bar"}

检查登陆，该API不会这样对待比这个要求有什么不同。

to check for "login", which the api wouldn't treat any different than this request

method: GET
url: https://api.mysite.com/users
http body: {"hair_color":"red"}

它们将都返回具有完全相同的结构响应。那么这将是对其他程序员来决定他们想要的信息做，他们可以考虑它登录，或只是一个信息检索的认证。总之，API不服务于最终用户登录，或至少不知道它正在发挥作用。因此，你应该永远不会返回401如果最终用户一个用户名/密码组合是无效的，并假定程序员试图执行一个登录流程。

They would both return responses with the exact same structure. Then it would be on the other programmers to determine what they wanted to do with the info, they could consider it an authentication for a login, or just a retrieval of information. In short, the api doesn't service end user login, or at least doesn't know that it is playing a role. Therefore you should never return a 401 if a username/password combo for an end-user is not valid and assume that a programmer is attempting to execute a login flow.

我的主要问题是：是否我的假设和逻辑正确以上。

My main question is: Is my assumption and logic above correct?

我的提问中学（非常次要的）是：如果是这样，就只有适当的时候返回一个401的回应应该是，当API用户（在其他程序员）认证falis

My secondary question (very secondary) is: If so, would the only appropriate time to return a 401 response would be when "api user" (the other programmers) authentication falis?

修改

我通过将用户名和密码通过头与HTTP基本认证API认证用户。我的问题是只在登录最终用户目标。

推荐答案

我使用REST API买我的做法是有点不同。

I am using rest API buy my approach is little bit different.

我做什么我传递的用户名和密码作为标题参数，而不是每个请求的数据。使用我每次他要求一次验证用户。

What I did I am passing username and password as a header parameters rather than data with each request. Using which I authenticate user each time he requests.

当然，我不得不这样做，因为我proect要求，所以但我认为这是一个很好的方法，因为你是不是担心太多关于在一定水平的安全性的部分。

Of course I had to do so because of my proect requirement but I think it is a good approach as you are not worried much about security part at certain level.

希望这有助于。

这篇关于没有登录REST API的用户更简单，但它是正确的的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！