非常非常简单的Web验证供个人使用
[英]very, very simple web authentication for personal use
问题描述
I'm using bottle to write a very simple backend API that will allow me to check up on an ongoing process remotely. 
我正在使用Bottle编写一个非常简单的后端API,这将使我可以远程检查正在进行的进程。 I'm the only person who will ever use this service—or rather, I would very much like to be the only person to use this service. 我是唯一会使用此服务的人,或者更确切地说,我非常想成为唯一使用此服务的人。 It's a very simple RESTish API that will accept GET requests on a few endpoints. 这是一个非常简单的RESTish API,它将在几个端点上接受GET请求。
I've never really done any development for the web, and I wanted to do something as simple as is reasonable. 我从未真正进行过任何网络开发,我想做一些简单而合理的事情。 Even this is probably an undue level of caution. 即使这样,也可能是不适当的警告。 Anyway, my very-very-basic idea was to use https on the server, and to authenticate with basically a hard-coded passkey. 无论如何,我的非常基本的想法是在服务器上使用https,并使用基本上是硬编码的密钥进行身份验证。 It would be stored in plaintext on the server and the client, but if anyone has access to either of those then I have a different problem. 它会以纯文本格式存储在服务器和客户端上,但是如果任何人都可以访问其中任何一个,那么我就会遇到另一个问题。
Is there anything glaringly wrong about this approach? 这种方法有什么明显的错误吗?
2 个解决方案
解决方案1
1 已采纳 2013-05-23 21:11:56
解决方案2
0 2013-05-23 21:48:32
If you are using password authentication you need to store the password in the server so you can validate the password you send from the client is Ok. 如果使用密码验证,则需要将密码存储在服务器中,以便可以验证从客户端发送的密码是否正确。
In your particular case you will be using basic authentication, as you want the simplest. 在您的特殊情况下,您将使用基本身份验证,因为这是最简单的。 Basic authentication over HTTP/HTTPS encodes the password with base64 but that's not a protection measure. 通过HTTP / HTTPS的基本身份验证使用base64对密码进行编码,但这不是保护措施。 Base64 is a two way encoding, you can encode and decode a chunk of data and you need no secret to do it. Base64是两种编码方式,您可以编码和解码大量数据,而无需任何秘密。 The purpose of Base64 encoding is codify any kind of data, even binary data, as a string. Base64编码的目的是将任何类型的数据(甚至二进制数据)编码为字符串。
When you enter the password and send it over HTTPS, the HTTPS tunel avoids anyone from seeing your password. 当您输入密码并通过HTTPS发送密码时,HTTPS隧道可避免任何人看到您的密码。
Other problem comes if someone gets access to your server and reads the password "copy" that you are using to check if the entered password was valid. 如果有人访问您的服务器并读取您用来检查输入的密码是否有效的密码“副本”,则会出现另一个问题。 The best way to protect is hashing it. 最好的保护方法是对其进行哈希处理。 A hash is a one way codification system. 哈希是一种单向编码系统。 This means anyone can hash a password, but you can not unhash a chunk of data to discover the password. 这意味着任何人都可以哈希密码,但是您不能取消哈希数据块来发现密码。 The only way to break a hashed password is by brute force. 破解哈希密码的唯一方法是蛮力破解。 I'll recommend using MD5 or SHA hashes. 我建议使用MD5或SHA哈希。
So to make it simple. 因此,使其变得简单。 The client uses http/https basic authentication, so you'll encode your password in base64. 客户端使用http / https基本身份验证,因此您将使用base64编码密码。 Pass it through a header, not the URL. 通过标头而不是URL传递它。 The server will contain a hased copy of the password either on databse or wherever you want. 该服务器将在数据库或您想要的任何位置包含密码的急速副本。 The backend code will recibe the http request, get the passowrd, base64 decode it and then hash it. 后端代码将接收http请求,获取密码,base64对其进行解码,然后对其进行哈希处理。 Once hashed, you will check if its equal to the copy stored in the server. 散列后,您将检查其是否等于存储在服务器中的副本。
This is it. 就是这个。 Hope it helps! 希望能帮助到你!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.