从 JavaScript 客户端对 REST API 进行授权和认证 [英] Authorization and Authentication to REST API from JavaScript Client

问题描述

我正在构建一个将从 JavaScript 客户端使用的 PHP REST API，并且在弄清楚如何实现身份验证和访问方面时遇到了一些问题.将有多个应用程序将使用我将开发的 JavaScript 库来与我的应用程序对话和交互.我将为他们每个人提供 API 密钥，所以这不是问题.

I'm building a PHP REST API that will be utilized from a JavaScript client, and am having some issues figuring out how to implement the auth and access side of things. There will be multiple applications that will use a JavaScript library that I'll be developing to talk and interact with my application. I'll be providing API keys to each of them, so that's not an issue.

我开始感到困惑的是如何让这些站点上的用户对我的应用程序进行身份验证.让这个外部站点存储我用户的帐户和密码信息似乎是个坏主意；所以，我想我应该让我的 JavaScript 库包含一个登录小部件，它要求我的应用程序的用户帐户信息.

Where I start getting confused is how to have the users on these sites authenticate to my application. It seems like a bad idea to have this external site store my user's account and password information; so, I guess I should have my JavaScript library include a login widget that asks for the user's account info for my application.

如果身份验证在那里成功，因为我正在使用 REST API，我需要将检索到的令牌存储在客户端 cookie 或其他内容中，以便用户无需再次登录我的应用程序外部网站的每个页面.但是，如果用户从外部站点注销，然后另一个用户从同一浏览器登录，会发生什么情况?就我的 JavaScript 库而言，旧用户仍会登录到我的应用程序中，因为 cookie/令牌尚未过期 - 我如何在前一个用户的会话结束时清除我的 cookie?或者，我在这里完全偏离了正确的道路吗?

If authentication is successful there, since I'm working with a REST API, I'll need to store the token retrieved in a client side cookie or something so that the user doesn't need to login to my application again on every page of the external site. However, what happens if the user logs out of the external site, and then another user logs in from the same browser? As far as my JavaScript library is concerned, the old user would still be logged into my application, because the cookie/token would not have expired yet - how can I clear my cookie when the previous user's session ends? Or, am I completely off the right path here?

所以，我认为这个过程应该是这样的:

So, I'm thinking the process would be something like:

var token; // Some hashed string containing an expiration date and user id
var apiKey = '123abc';

// Read the cookie and check if it already contains the token
token = readCookie('token');
if (token == '') {
    // get username and password from user through some prompt

    var request_data = {apiKey: apiKey, user: username, pass: password};
    $.post('https://service.com/api/user/login', request_data, function(data) {
        token = data;
        document.cookie = "token=" + token;
    });
}

...

var get_data = {apiKey: apiKey, token: token};
$.get('http://service.com/api/<object>', get_data, function(data) {
    // Do something with data
});

抱歉，这里有几个问题.我想主要是如果我将令牌存储到 cookie 中，如何确保在用户注销外部应用程序时将其清除?或者，如果我不应该将它存储到 cookie 中，我如何让客户端知道用户的状态?

Sorry, there's several questions buried in here. I guess the main one is if I'm storing the token to a cookie, how do I ensure that it is cleared when the user logs off of the external application? Or, if I shouldn't be storing it to a cookie, how do I keep the client aware of the user's state?

推荐答案

我建议你阅读这篇关于保护 RESTful API 的非常好的博文.

(如果链接不起作用—它已经死了一次并且必须从archive.org检索—我发现它似乎是这个页面的PDF渲染:https://www.ida.liu.se/~TDDD97/labs/hmacarticle.pdf.)

(In case that link doesn't work—it has already gone dead once and has to be retrieved from archive.org—I found what it seems to be a PDF render of this page accessible here: https://www.ida.liu.se/~TDDD97/labs/hmacarticle.pdf.)

注意:我的回答是题外话，因为上面博客文章中提供的解决方案对于 Javascript 客户端来说是不安全的.事实上，它主要解释了如何在服务器端保护 REST API.

Note: my answer is off-topic because the solution provided in the blog post above is not secure from a Javascript client. In fact, it explain mostly how to secure a REST API on the server side.

这篇关于从 JavaScript 客户端对 REST API 进行授权和认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！