Yii2 Rest Api 用户承载认证过期时间 [英] Yii2 Rest Api User bearer Authentication expiration time

问题描述

我目前正在开发基于 yii2 的 Rest api.我使用不记名令牌进行用户身份验证.让我解释一下要求.

i am currently working on a yii2 based Rest api. i use bearer token for user authentication.let me explain the requirement.

1) 第一个用户使用其凭据从外部 php 应用程序进行身份验证.

1)first user authenticated from a external php application using their credentials.

2) 他/她获得了一个访问令牌.

2)he/she got an access Token.

3) 使用此访问令牌发出每个后续请求.

3)each subsequent request is made using this access token.

public static function findIdentityByAccessToken($token, $type = null)
{
    return static::findOne(['auth_key' => $token]);
}

这是我开始思考的地方.我没有找到访问令牌的任何过期时间.真的需要吗?如果是，我该如何存档?提前致谢.

this is where i start thinking. i do not found any expiration time for the access token. is that really needed? if yes how can i archive that? Thanks in advance.

推荐答案

您的问题有点宽泛，但我会尽力帮助您进行思考.

Your question is kind of broad, but I will attempt to help your thought process along.

我没有找到访问令牌的任何过期时间.真的需要吗?

i do not found any expiration time for the access token. is that really needed?

这取决于您的要求.您是否希望您的用户在第一次进行身份验证后能够无限期地访问您的 API?您希望您的用户经常更新他们的令牌吗?

That depends on your requirements. Do you want your users to be able to access your API indefinitely after authenticating the first time? Would you like your users to renew their token every so often?

我会推荐后者，因为它限制了潜在攻击者使用受损访问令牌的时间.

I would recommend the latter, as it limits the time a potential attacker could use a compromised access token.

如果是，我该如何存档?

if yes how can i archive that?

一种选择是将包含到期日期的日期时间的字段添加到与您的身份类别对应的数据库表中，并检查这在 findIdentityByAccessToken() 的实现中是否仍然有效/p>

One option would be to add a field containing the datetime of the expiry date to the database table corresponding with your identity class and to check wether this is still valid in the implementation of findIdentityByAccessToken()

public static function findIdentityByAccessToken($token, $type = null)
{
    return static::findOne([
        'AND', 
        ['auth_key' => $token], 
        ['>=', 'token_expire', new \yii\db\Expression('NOW()')]
    ]);
}

这篇关于Yii2 Rest Api 用户承载认证过期时间的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！