每个页面上的 yii2 oauth 令牌验证 [英] yii2 oauth token validation on every page

问题描述

所以我需要在每个页面上验证 oauth 令牌，除了 site/login、site/logout、site/error、>站点/身份验证.基于高级模板构建，这显然是在后端.

So I need to validate oauth token on every page except for site/login, site/logout, site/error, site/auth. Building off of the advanced template, this would obviously be in the backend.

在 Yii2 中这样做的正确方法是什么?

What would be the proper way of doing this in Yii2?

1. 从某种基本控制器扩展所有控制器?
2. 在配置中引导一个类?
3. 自定义过滤器?
4. 行为?

本质上，除了上面提到的 4 个页面之外，我只需要一个可以在每个页面上运行的函数.

Essentially I just need a function to run on every page except the 4 mentioned above.

推荐答案

Yii 2.0 已经有 3 种身份验证方法实现为过滤器:

Yii 2.0 already have 3 authentication methods implemented as filters :

• yii\filters\auth\HttpBasicAuth
• yii\filters\auth\HttpBearerAuth
• yii\filters\auth\QueryParamAuth

加上 yii\filters\auth\CompositeAuth同时使用多个.它们通常附加到行为中的每个控制器:

Plus yii\filters\auth\CompositeAuth to use more than one at the same time. They are usually attached to each controller within a behavior :

public function behaviors()
{
    $behaviors = parent::behaviors();
    $behaviors['authenticator'] = [
        'class' => CompositeAuth::className(),
        'authMethods' => [
            HttpBasicAuth::className(),
            HttpBearerAuth::className(),
            QueryParamAuth::className(),
        ],
    ];
    return $behaviors;
}

而且它们都有一个 $except 和 $only 属性来选择你应用它们的动作.所以你的 SiteController 中可能有这样的东西:

And all of them have an $except and $only properties to choose to which actions you are applying them. So you may have something like this in your SiteController :

public function behaviors()
{
    $behaviors = parent::behaviors();
    $behaviors['authenticator'] = [
        'class' => HttpBearerAuth::className(),
        'except' => ['login','logout','error','auth']
    ];
    return $behaviors;
}

并且您可能具有相同的行为，但在所有其他控制器中没有 except 属性.或者，您可以让所有其他控制器扩展一个通用控制器，在该控制器中实现该身份验证器行为.

And you may have the the same behavior but without the except property in all the other controllers. Or you can make all the other controllers extends a common controller where that authenticator behavior is implemented.

那些过滤器将使用内置的 User 类(在您的配置文件中设置)，它实现了 IdentityInterface 来验证用户.该接口已经有一个 findIdentityByAccessToken() 可以用来验证令牌的方法，而不是使用 findIdentity() 注册一个已登录的用户并使其在 Yii::$app->user->identity 或 Yii::$app- 中访问>user->id.

Those filters will use the built-in User class (as set in your config file) which implements the IdentityInterface to authenticate a user. That interface has already a findIdentityByAccessToken() method that you can use to validate a token instead of using findIdentity() to register a logged in user and make it accessible within Yii::$app->user->identity or Yii::$app->user->id.

我在这里试图解释的是如何在内置 Yii RESTful API 框架 在这里可以更好地解释:

What I'm trying to explain here is kind of a summary of how Authentication is implemented within the built-in Yii RESTful API framework which may be better explained here :

http://www.yiiframework.com/doc-2.0/guide-rest-authentication.html

我认为这是一个很好的例子.还有 本教程 描述了通过访问令牌和它是如何在 User 类中实现的.它是关于 REST 的，但对于非 REST 应用程序，该技术也应该相同，因为两者都使用 User 类.

And which I consider a good exemple to follow. There is also this tutorial that describes authentication by access token and how it is implemented within the User class. It is about REST but the technique should be the same for a non REST app too as both are using the User class.

这篇关于每个页面上的 yii2 oauth 令牌验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！