Rails API:实现身份验证的最佳方式? [英] Rails API : Best way to implement authentication?

问题描述

我正在编写一个 Rails 4 应用程序，它将为尚未开发的移动应用程序公开 API.用户将使用来自移动应用的电子邮件和密码进行身份验证.

I'm writing a Rails 4 app that will expose an API for a mobile app that's yet to be developed. Users will authenticate using an e-mail and password from the mobile app.

虽然我已经找到了很多关于该主题的信息.很难辨别什么是过时的或非最佳的.我已经阅读了关于 HTTP 基本身份验证，它似乎不太安全，以及基于 HTTP 令牌的身份验证，但我不确定如何将其与常规电子邮件和密码身份验证结合使用(我正在使用 Devise by方式).

While I've found quite a bit of information on the topic. It's hard to discern what's dated or non-optimal. I've read about HTTP Basic Auth, which doesn't seem too secure, and HTTP Token-based Auth, but I'm not sure on how to couple that with regular e-mail and password authentication (I'm using Devise by the way).

我只想知道如何实现这一点的当前最佳做法是什么，所以我一定会走正确的路.

I'd just like to know what's the current best practice on how to implement this, so I'll be sure to be going the right way.

推荐答案

从安全角度来看，重要的一点是将用户的电子邮件和密码交换一次令牌，然后使用该令牌进行后续请求.这是因为:

The important point, from a security perspective, is to exchange the user's email and password for a token once, and then use that token for subsequent requests. This is because:

1. 您不希望客户端应用负责保留用户的密码，因为错误或攻击可能导致密码泄露；和
2. 服务器颁发的令牌使您(和您的用户)能够在必要时使令牌过期，例如锁定被盗设备或阻止行为不端的 API 客户端.

实现这一目标的方法有很多种，但复杂程度各不相同.

There are many ways to accomplish this with varying levels of complexity.

这是一个最新的教程，其中包含在 Rails 中使用基于令牌的身份验证创建 API 的完整演练(不使用 Devise，但仍然与理解概念相关):https://labs.kollegorna.se/blog/2015/04/build-an-api-now/

Here is a tutorial that is very recent and has a thorough walkthrough for creating an API in Rails with token-based authentication (not using Devise, but still relevant to understand the concepts): https://labs.kollegorna.se/blog/2015/04/build-an-api-now/

这篇关于Rails API:实现身份验证的最佳方式?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！