[英]Rest API login flow and url
I am working on building a rest api just to learn and I am stuck on the login flow and how it should work. 我正在努力建立一个休息api只是为了学习,我被困在登录流程以及它应该如何工作。
Here are some facts about my api so far: 以下是关于我的api的一些事实:
Here are my questions: 这是我的问题:
If I want to authenticate a user (not an apiuser) what should my rest api url look like? 如果我想验证用户(不是apiuser),我的休息api url应该是什么样子? I have read enough to know that verbs are bad so I am leaning away from https://api.mysite.com/users/login So should it just be 我已经阅读了足够的知道动词是坏的所以我倾向于远离https://api.mysite.com/users/login所以它应该只是
METHOD: GET URL: https://api.mysite.com/users HTTP BODY: {"username":"xxxxxx","password":"xxxxxx}
and just return for success 并回归成功
HTTP CODE: 200
HTTP BODY: {"id_user":"xx","username":"xxxxxx","screenname":"xxxxxxx"}
and for invalid logins 和无效登录
HTTP CODE: 404
I think this is the way to go, because isn't a login attempt really just like running any other GET with some parameters? 我认为这是要走的路,因为不是登录尝试真的就像运行任何其他带有一些参数的GET一样吗? In other words, would authenticating be any different than doing something like 换句话说,认证与做某事不同
HTTP METHOD: GET
URL: https://api.mysite.com/users
HTTP BODY: {"age":"72"}
EDIT 编辑
This api is intended to be used by only me. 这个api只供我使用。 The idea is that I write an api and then I can write a backbone.js site, and iphone app, android app etc... on top of it. 我的想法是我写了一个api然后我可以写一个backbone.js网站,以及iphone app,android app等......在它之上。 It is not meant to be for the public. 它不是为了公众。 So that is why I avoided diving into OAuth quite yet. 所以这就是我避免潜入OAuth的原因。
I POST the username and PW to the api: 我将用户名和PW发布到api:
http://www.mysite.com/api/authenticate/ (username and PW included in the POST collection) http://www.mysite.com/api/authenticate/(POST集合中包含的用户名和PW)
That returns a long, unique token which i generate on the server. 这将返回一个我在服务器上生成的长而唯一的令牌。
A token is then required in request headers for all other requests. 然后,在所有其他请求的请求标头中需要令牌。 All pages (except authenticate) require a valid token or they return an error. 所有页面(身份验证除外)都需要有效令牌,否则会返回错误。
A login attempt is then a POST because it inserts a token record. 然后登录尝试是POST,因为它插入了令牌记录。
http://www.mysite.com/api/deauthenticate/ destroys the token (assuming a valid token is included in the header) http://www.mysite.com/api/deauthenticate/销毁令牌(假设标头中包含有效的令牌)
(also because the token is in the db, I can deauthenticate a user, requiring another login whenever I want - eg, after 10 minutes or 10 hours) (也因为令牌在数据库中,我可以取消认证用户,需要在需要时再次登录 - 例如,10分钟或10小时后)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.