REST API 上的 CakePHP 身份验证 [英] CakePHP Authentication on REST API
问题描述
因此,我正在为正在开发的 Web 应用程序创建 REST API,并且我知道身份验证的基本方法是在每个请求上发送凭据或发送令牌.
So I'm creating a REST API for a web app I'm developing, and I know the basic ways for authentication are either sending the credentials on each request or sending a token.
由于我以前从未使用过令牌,我想我可以为每个请求发送凭据.关键是我找不到有关如何在控制器中处理此问题的任何示例.会是这样吗?
Since I have never used token before, I think I may send the credentials for each request. The point is I can't find any examples on how to handle this in the controller. Would it be something like this?
public function api_index() {
if(!$this->Auth->login()) return;
$this->set(array(
'models' => $this->Model->find('all'),
'_serialize' => array('models')
));
}
我真的不认为这是 AuthComponent::login() 的工作方式,我可以在这里得到一些指导吗?
I don't really think this is the way AuthComponent::login() works, can I get some directions here please?
推荐答案
好的,首先澄清一下 AuthComponent::login 的工作原理.在 Cake 2.x 中,该方法不进行任何身份验证,而是在您的会话中创建 Auth.User 数组.您需要自己实现实际的身份验证(用户模型是执行此操作的自然场所).基本的身份验证方法可能如下所示:
Alright, first a clarification about how AuthComponent::login works. In Cake 2.x that method does not do any authentication, but rather creates the Auth.User array in your session. You need to implement the actual authentication yourself (the User model is a natural place to do this). A basic authentication method might look like this:
App::uses('AuthComponent', 'Controller/Component');
public function authenticate($data) {
$user = $this->find('first', array(
'conditions' => array('User.login' => $data['login']),
));
if($user['User']['password'] !== AuthComponent::password($data['password']) {
return false;
}
unset($user['User']['password']); // don't forget this part
return $user;
// the reason I return the user is so I can pass it to Authcomponent::login if desired
}
现在只要加载了用户模型,您就可以从任何控制器使用它.您可能知道可以通过调用 Controller::loadModel('User') 来加载它.
Now you can use this from any controller as long as the User model is loaded. You may be aware that you can load it by calling Controller::loadModel('User').
如果你想对每一个请求进行身份验证,那么你应该放入 AppController 的 beforeFilter 方法:
If you want to authenticate every request, then you should then put in the beforeFilter method of AppController:
public function beforeFilter() {
$this->loadModel('User');
if(!$this->User->authenticate($this->request->data)) {
throw new UnauthorizedException(__('You don\'t belong here.'));
}
}
以上所有内容均假设您每次都传递登录名和密码的 POST 值.我认为令牌身份验证绝对是更好的方法,但对于启动和运行这应该有效.一些缺点包括每次请求都以明文形式发送密码(除非您需要 ssl),以及每次散列算法的 CPU 使用率可能很高.尽管如此,我希望这能让您更好地了解如何使用 cakephp 进行身份验证.
All of the above assumes that you pass POST values for login and password every time. I think token authentication is definitely the better way to go, but for getting up and running this should work. Some downsides include sending password in cleartext (unless you require ssl) every request and the probably high cpu usage of the hashing algorithm each time. Nevertheless, I hope this gives you a better idea of how to do authentication with cakephp.
如果有什么需要澄清的,请告诉我.
Let me know if something needs clarifying.
更新:自从发布这篇文章后,我发现您实际上可以不带参数地使用 AuthComponent::login,但我不喜欢这样做.来自 CakePHP 文档:
Update: Since posting this, I found out that you can actually use AuthComponent::login with no parameters, but I am not a fan of doing so. From the CakePHP documentation:
In 2.x $this->Auth->login($this->request->data) will log the user in with
whatever data is posted, whereas in 1.3 $this->Auth->login($this->data)
would try to identify the user first and only log in when successful.
这篇关于REST API 上的 CakePHP 身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
