如何安全地将密码发送到REST服务？ [英] How to send password to REST service securely?

问题描述

我正在使用 Flask-Restful 构建一个REST服务。 iOS设备将连接到这个REST后端来同步本地数据。

该服务将通过 https 连接进行访问。

REST服务是无状态的，用户必须对每个请求进行身份验证。因此，用户名和密码将以清晰的格式发送到REST服务。后端将散列密码，并检查数据库中现有的哈希密码。

  api.add_resource（Records，'/ rest / records /< string：email> /< string：password> /< string：ios_sync_timestamp>'）
  

现在我用这种方法看到的一个问题是，用户名和密码是作为GET url的一部分的清晰格式。服务器日志显然会跟踪这一点。现在，如果我的后端被入侵，日志文件将危及所有用户名和密码。

什么是最好的解决方案？我想也许发送用户名和密码作为POST参数，但我怎么用GET请求然后？

 类记录（资源）：
 def get（self，email，password，ios_sync_timestamp）：
 pass 
 def post（self，email，password，ios_sync_timestamp）：
 pass 
 < code $ <$ $ p 
 
解决方案
要使用用户名和密码验证每个请求，您应该使用： 基本身份验证。
 
 
 
要使用它，它非常简单，并且适用于所有HTTP方法（GET，POST，...）。您只需要在请求中添加一个HTTP头： 
 
 
  Authorization：Basic< ...> 
  
 < ...> 部分是用$ base编码的用户名：密码。
 $ b 
例如，如果您的登录名是 foo ，密码是 bar 。 HTTP头应该有这样一行： 
 
 
 `Authorization：Basic Zm9vOmJhcg ==`
  
通过您的 HTTPS 连接，它是安全的。 
 
 
编辑：使用Flask，您可以使用 Flask HTTP认证实现自动。
 
I am using Flask-Restful to build a REST service. The iOS device will then connect to this REST backend to sync the local data.

The service will be accessed over a https connection.

The REST service is stateless and the user has to authenticate upon each request. Hence the username and password will be sent in clear format to the REST service. The backend will hash the password and check against the existing hashed password in the database.
api.add_resource(Records, '/rest/records/<string:email>/<string:password>/<string:ios_sync_timestamp>')
Now one problem I see with this approach is that the username and password are in clear format as part of the GET url.  The server log will obviously track this. Now if my backend was ever hacked into, the log files would compromise all the usernames and passwords.

What is the best solution to this?  I was thinking maybe sending username and password as POST arguments, but how do I that with GET requests then?
class Records(Resource):
    def get(self, email, password, ios_sync_timestamp):
        pass
    def post(self, email, password, ios_sync_timestamp):
        pass

解决方案
To authenticate each requests with a username and password like you want, you should use: Basic Authentication.

To use it, it's pretty simple and it works with all HTTP methods (GET, POST, ...). You just need to add an HTTP header into the request:
Authorization: Basic <...>
The <...> part is the username:password encoded in base64.

For example, if your login is foo and your password is bar. The HTTP header should have this line:
`Authorization: Basic Zm9vOmJhcg==`
Through your HTTPS connection, it's secure.

EDIT: Using Flask, you can use Flask HTTP auth to achieve this "automatically".

                        
这篇关于如何安全地将密码发送到REST服务？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！