保护 REST API 和 Slim 框架 [英] Securing a REST API and Slim Framework

问题描述

我对 REST API 还很陌生，我意识到已经发布了很多问题.然而，仔细阅读这些实际上让我对如何处理这个问题更加困惑.

I am fairly new to REST APIs, and I realize there are quite a few questions already posted. However, perusing these has actually left me more confused on how to handle this.

我使用 Slim Framework 创建了一个 REST API，我只是用它来传输数据.我不会使用用户登录或身份验证，所以我相信要确保这一点，我只需要一个使用公钥和私钥的系统，但我不确定.

I have created a REST API using Slim Framework which I am simply using to transfer data. I won't be using user logins or authentication, so I believe to secure this I just need a system that using a public key and a private key, but I am just not sure.

如果有人了解正确/最安全的方法，或者任何很棒的教程/资源.任何帮助表示赞赏.

If anyone has insight on the correct / most secure way to do this, or any tutorials / resources that would be great. Any help is appreciated.

推荐答案

您可以使用 SSL 对传输中的数据进行加密.

You can use SSL to encrypt data in transit.

但 SSL 只是加密；服务器端 ssl 不做客户端的认证，也不授权.您可以将授权视为回答调用者是否可以执行他要求的操作?的问题.身份验证 建立调用者的身份或身份验证通常是进行授权的必要第一步.有时你不需要整个身份"——你只需要确定一个特定的方面.例如，自动洗手间门不需要知道你是谁，只要你是男性或女性，就可以确定身份.同样，有些服务并不关心你是谁；如果您从特定网络(IP 白名单)呼叫或携带特殊令牌，它们将允许访问.

But SSL is just encryption; server-side ssl does not do authentication of the client, nor authorization. You can think of authorization as answering the question is the caller allowed to do what he is asking?. Authentication establishing the identity of the caller or Authentication is usually a necessary first step for doing authorization. Sometimes you don't need "the whole identity" - you just need to ascertain a particular aspect. For example, an automated washroom gate would not need to know who you were, but only if you were male or female in order to ascertain identity. In the same way, some services don't care who you are; they will allow access if you are calling from a particular network (ip whitelist) or if you carry a special token.

为了让服务器区分授权和未授权的调用，您有一些选择:

To allow the server to distinguish between authorized and unauthorized calls you have some options:

• IP 白名单.如果您知道将调用您的服务的应用程序或代理的 IP 地址，您可以在您的服务实现中指定它.该服务可以检查传入请求的 IP 并拒绝那些不在白名单中的请求.这是一种基于调用者地址的隐式"授权.

• IP whitelist. If you know the IP address of the app or agent which will call your service, you can specify that in your service implementation. The service can check the IP of incoming requests and reject those that are not on the whitelist. This is sort of "implicit" authorization based on the caller's address.

一个秘密令牌，应用程序在每次调用中提供.您说您不想进行身份验证，但这是一种身份验证形式.您可以将其称为不记名令牌".任何持有此令牌的人都会获得授权.在您的服务器中，您将检查令牌的值并拒绝任何与已知值不匹配的调用.除了显式传递令牌之外，这与 IP 白名单非常相似，并且与网络地址没有任何关系.

a secret token, that the app provides in each call. You said you didn't want to do authentication, but this is a form of authentication. You might call it a "bearer token". Anyone who bears this token gets authorization. In your server you'd check the value of the token and reject any calls that don't match the well-known value. This works much like the IP whitelist except the token is explicitly passed, and does not have any relation to the network address.

一个令牌+密钥对.这就像用户名/密码，但它可用于验证应用程序.使用它来提供应用程序本身的身份.在服务端检查如上.

a token + key pair. This is like a username / password, but it can be used to authenticate the app. Use this to provide the identity of the app itself. Check on the service side as above.

用户名/密码.验证应用程序的用户.

a username / password. To authenticate the user of the app.

您可能希望将这些组合起来以生成您想要的解决方案.换句话说，客户端请求需要来自正确的 I 地址，并且需要有应用程序的令牌/密钥，以及用户的用户名/密码，才能被视为已授权".

You may want to combine these to produce the solution you want. In other words, the client request needs to be from the right I address, and needs to have a token/key for the app, and a username/password for the user, in order to be considered "authorized".

这篇关于保护 REST API 和 Slim 框架的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！