用HTTP基本认证设计Restful API
[英]Design of Restful API with HTTP Basic Authentication
问题描述
Note: I know there are LOTS of other StackOverflow questions dealing with this topic. 
注意:我知道有很多其他StackOverflow问题涉及这个主题。 I've read through many of them, as well as many other websites. 我已经阅读了很多这些以及许多其他网站。 I still have the following questions. 我还有以下问题。
So, I'm building a REST API for a new product. 所以,我正在为新产品构建REST API。 At this time the API is entirely for private consumption by our websites and phone apps. 目前,该API完全由我们的网站和手机应用程序私人使用。 However, I'm thinking it might be smart to design the API so that it can be made public in the future. 但是,我认为设计API可能会很聪明,以便将来可以公开。
Authentication 认证
While I've looked at OAuth, I think HTTP Basic Authentication over SSL is plenty secure enough for our API. 虽然我看过OAuth,但我认为基于SSL的HTTP基本身份验证对我们的API来说足够安全。 From what I understand HTTP Basic Authentication over SSL is a completely viable way of authenticating a REST API. 据我所知,基于SSL的HTTP基本身份验证是一种完全可行的REST API身份验证方法。 It's also quite simple, which is appealing for me since I'm new to API development. 它也很简单,因为我是API开发的新手,所以对我很有吸引力。
Authorization 授权
If a user logs in to the API using their username and password, they will only be given access to certain parts of the API. 如果用户使用其用户名和密码登录API,则只能访问API的某些部分。 Meaning they'll have access to their own content, but not the content of other users. 这意味着他们可以访问自己的内容,但不能访问其他用户的内容。 Further, they may be limited to what they can all do. 此外,它们可能仅限于他们都可以做的事情。
In addition to the user accounts, I plan to also have other other (non user) accounts for more global administrative tasks. 除了用户帐户,我还计划拥有其他其他(非用户)帐户以进行更多全局管理任务。 These accounts could potentially have full access to the API. 这些帐户可能具有对API的完全访问权限。
Is this a good design? 这是一个很好的设计吗? OR, is it bad to authenticate a user in this way? 或者,以这种方式验证用户是不是很糟糕? Should I only be authenticating my clients (ie. apps) this way? 我应该只通过这种方式验证我的客户(即应用程序)吗?
Sessions 会议
My big question is, when logging a user into our web app, how do I manage their sessions? 我最大的问题是,在将用户登录到我们的网络应用程序时,如何管理他们的会话? REST stipulates sending the username and password with each request. REST规定每个请求都要发送用户名和密码。 Further, REST API's are stateless, so I cannot manage sessions there. 此外,REST API是无状态的,因此我无法在那里管理会话。 However, I need to track that they've logged into the web app somehow. 但是,我需要跟踪他们以某种方式登录到Web应用程序。 They clearly can't possibly login manually for each request. 他们显然无法为每个请求手动登录。
One approach is, after a user logs in, we save their login credentials (email & password) to the PHP session. 一种方法是,在用户登录后,我们将他们的登录凭据(电子邮件和密码)保存到PHP会话。 Then, each subsequent request to the API could use those credentials. 然后,对API的每个后续请求都可以使用这些凭据。 However, saving usernames and passwords in a PHP session just feels wrong and very unsafe. 但是,在PHP会话中保存用户名和密码只是感觉不对而且非常不安全。 But if not done this way, how are people managing sessions when interacting with a REST API? 但如果不这样做,人们在与REST API交互时如何管理会话?
The phone apps are easier, as you can save the user's login credentials into a keychain. 手机应用程序更容易,因为您可以将用户的登录凭据保存到钥匙串中。
Can anyone help with my design questions? 有人可以帮我解决我的设计问题吗?
1 个解决方案
解决方案1
2 2014-08-21 09:21:51
I know this question is a bit old and maybe you already finished your work, but I'd like to give you some tips. 我知道这个问题有点老了,也许你已经完成了你的工作,但我想给你一些提示。 Maybe these could help you or anybody in the future. 也许这些可以帮助你或将来的任何人。 :) :)
Authentication 认证
HTTP Basic Auth over SSL is quite simple, that's true, but not so secure than you think. HTTP基本身份验证非常简单,这是真的,但并不像你想象的那么安全。 You only have to install 1 "fake" SSL cert on the client and with a man in the middle attack you can sniff the traffic. 您只需在客户端上安装1个“假”SSL证书,并且在中间攻击中您可以嗅探流量。
How to install a fake certificate? 如何安装假证书? It's not so hard in a browser lot of users just click on the ok when they see the huge red warning screen. 浏览器中的用户并不是那么难,只要在看到巨大的红色警告屏幕时点击确定即可。 On a mobile for example: http://cryptopath.wordpress.com/2010/01/29/iphone-certificate-flaws/ 在移动设备上,例如: http : //cryptopath.wordpress.com/2010/01/29/iphone-certificate-flaws/
With this solution you only have to intercept the traffic once and you'll have the user's password! 使用此解决方案,您只需拦截一次流量,您就拥有了用户的密码!
My tip: Generate a temporary password at login and use this in every other requests. 我的提示:在登录时生成临时密码,并在每个其他请求中使用它。 So the attacker have to intercept the login process for the password and if you store this pass locally on the phone for example it's much harder. 因此,攻击者必须拦截密码的登录过程,如果您将此传递存储在手机本地,例如,则更难。 (And of course you can add expiration to it etc...) (当然你可以为它添加过期等...)
Authorization 授权
I don't really understand what would you do. 我真的不明白你会做什么。 User access management is a good thing, but it depends on the given project. 用户访问管理是一件好事,但它取决于给定的项目。
Session 会议
Not only the REST APIs, teh whole HTTP world is stateless. 不仅REST API,整个HTTP世界都是无状态的。 If you use a PHP session it stores a session id in a cookie on the client side and the browser sends this cookie value every time to the server. 如果您使用PHP会话,它会在客户端的cookie中存储会话ID,并且浏览器每次都会将此cookie值发送到服务器。
The users don't have to login every time. 用户不必每次都登录。 They log in once and get a token/temporary password etc... and (or if you don't use these stuff) they send you a basic auth header at every requests. 他们登录一次并获得令牌/临时密码等......(或者如果您不使用这些东西),他们会在每次请求时向您发送一个基本的auth标头。 This way you can easily track who sent you the request, because you already now who's that user and you can store and link some data to it on the server. 通过这种方式,您可以轻松跟踪向您发送请求的人,因为您现在已经是该用户,并且您可以在服务器上存储和链接某些数据。
There are many ways to deal with users. 有很多方法可以处理用户。 Basic auth is one of them. 基本身份验证就是其中之一。 And check this: OAuth's tokens and sessions in REST "OAuth tokens are explicitly a session identifier, ..." 并检查一下: OAuth中的OAuth令牌和会话 “OAuth令牌明确是会话标识符,......”
You don't have to store the user's password and email, you just have to check the headers/cookies/etc... from the client in every requests. 您不必存储用户的密码和电子邮件,只需在每个请求中检查客户端的标题/ cookies / etc ....
The phone apps are easier, as you can save the user's login credentials into a keychain.
They can, but saving the user's real password on a phone is a very bad practice. 他们可以,但在手机上保存用户的真实密码是一种非常糟糕的做法。 Save a time limited token is a bit better. 保存时间有限的令牌会好一点。 :) :)
In every other languages you can store values if you want. 在其他所有语言中,您可以根据需要存储值。 For example if you want to use a Python client for your API: It authenticates and stores a token or something what it needs in a variable and at every other requests it uses this stored data. 例如,如果您想为您的API使用Python客户端:它在变量中验证并存储令牌或其所需的内容,并在每个其他请求中使用此存储的数据。
One more sidenote: 还有一个旁注:
However, saving usernames and passwords in a PHP session just feels wrong and very unsafe.
True that's unsafe, but the (real) PHP sessions are stored on the server side and as I said it stores only a single session id on the client side. 确实这是不安全的,但(真正的)PHP会话存储在服务器端,正如我所说它在客户端只存储一个会话ID。 Anybody who can get this session id, could impersonate the given user. 任何能够获得此会话ID的人都可以冒充给定的用户。 (There are countermeasures for example IP check, etc...) (有IP检查等对策......)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.