Rest API登录流程和网址
[英]Rest API login flow and url
问题描述
I am working on building a rest api just to learn and I am stuck on the login flow and how it should work. 
我正在努力建立一个休息api只是为了学习,我被困在登录流程以及它应该如何工作。
Here are some facts about my api so far: 以下是关于我的api的一些事实:
- My api is written in php. 我的api是用php编写的。
- I am using http basic auth to get the username and password of the requestor. 我使用http basic auth来获取请求者的用户名和密码。 Once I grab it with $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] and check the credentials against my database table 'apiuser' to authenticate. 一旦我用$ _SERVER ['PHP_AUTH_USER']和$ _SERVER ['PHP_AUTH_PW']抓住它,并检查我的数据库表'apiuser'的凭据进行身份验证。
- I also have a table called 'users'. 我还有一个名为'users'的表。 This table is meant to be the end users that will use the websites and apps that are written on my api. 此表旨在表示将使用我的api上编写的网站和应用程序的最终用户。
Here are my questions: 这是我的问题:
If I want to authenticate a user (not an apiuser) what should my rest api url look like?
如果我想验证用户(不是apiuser),我的休息api url应该是什么样子? I have read enough to know that verbs are bad so I am leaning away from https://api.mysite.com/users/login So should it just be 我已经阅读了足够的知道动词是坏的所以我倾向于远离https://api.mysite.com/users/login所以它应该只是 METHOD: GET URL: https://api.mysite.com/users HTTP BODY: {"username":"xxxxxx","password":"xxxxxx}
and just return for success 并回归成功
HTTP CODE: 200
HTTP BODY: {"id_user":"xx","username":"xxxxxx","screenname":"xxxxxxx"}
and for invalid logins 和无效登录
HTTP CODE: 404
I think this is the way to go, because isn't a login attempt really just like running any other GET with some parameters? 我认为这是要走的路,因为不是登录尝试真的就像运行任何其他带有一些参数的GET一样吗? In other words, would authenticating be any different than doing something like 换句话说,认证与做某事不同
HTTP METHOD: GET
URL: https://api.mysite.com/users
HTTP BODY: {"age":"72"}
EDIT 编辑
This api is intended to be used by only me. 这个api只供我使用。 The idea is that I write an api and then I can write a backbone.js site, and iphone app, android app etc... on top of it. 我的想法是我写了一个api然后我可以写一个backbone.js网站,以及iphone app,android app等......在它之上。 It is not meant to be for the public. 它不是为了公众。 So that is why I avoided diving into OAuth quite yet. 所以这就是我避免潜入OAuth的原因。
1 个解决方案
解决方案1
2 2014-01-20 16:43:54
I POST the username and PW to the api: 我将用户名和PW发布到api:
http://www.mysite.com/api/authenticate/ (username and PW included in the POST collection) http://www.mysite.com/api/authenticate/(POST集合中包含的用户名和PW)
That returns a long, unique token which i generate on the server. 这将返回一个我在服务器上生成的长而唯一的令牌。
A token is then required in request headers for all other requests. 然后,在所有其他请求的请求标头中需要令牌。 All pages (except authenticate) require a valid token or they return an error. 所有页面(身份验证除外)都需要有效令牌,否则会返回错误。
A login attempt is then a POST because it inserts a token record. 然后登录尝试是POST,因为它插入了令牌记录。
http://www.mysite.com/api/deauthenticate/ destroys the token (assuming a valid token is included in the header) http://www.mysite.com/api/deauthenticate/销毁令牌(假设标头中包含有效的令牌)
(also because the token is in the db, I can deauthenticate a user, requiring another login whenever I want - eg, after 10 minutes or 10 hours) (也因为令牌在数据库中,我可以取消认证用户,需要在需要时再次登录 - 例如,10分钟或10小时后)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.