[英]Best way to protect a REST Api without requiring user authentication
Is this even possible. 这有可能吗?
The given scenario is I am building a store either with ember.js or backbone.js. 给定的场景是我正在使用ember.js或骨干.js建立商店。 The store will be able to get all the products and individual products as it should.
商店将能够按需获取所有产品和单个产品。 However when the user wants to buy an item they are taken directly to checkout and there is no cart or user signup/login process.
但是,当用户想要购买商品时,他们将被直接带到结帐处,并且没有购物车或用户注册/登录过程。 I am wondering if it's possible to somehow authenticate the new POST request that comes in to update the quantity and post back the users shipping info based not on if the user is logged in and has authenticated but maybe based on where the request is being made from?
我想知道是否有可能以某种方式对新来的POST请求进行身份验证以更新数量,并根据用户是否已登录并已通过身份验证而不是基于可能是从何处发出请求来回发用户的运输信息? For instance based on IP or based on the signature of the SSL certificate present on the client side.
例如,基于IP或基于客户端上存在的SSL证书的签名。
I've been using Parse to play with a backend and using ember for the front end to this point, ember data offers great resources to interface with REST apis but most require that the key be passed to the request somehow and thus placed right inside the client side code. 到目前为止,我一直在使用Parse来处理后端,并在前端使用ember,ember数据提供了与REST api交互的强大资源,但是大多数都要求将密钥以某种方式传递给请求,并因此直接放置在客户端代码。 Not good.
不好。 How can I achieve this with my given scenario or is it simply not possible?
如何在给定的情况下实现这一目标,或者根本不可能?
I am not sure how you will be able to distinguish which of your users ordered what, without somehow having them authenticate themselves. 我不确定您如何能够区分哪个用户订购了什么,而无需以某种方式让他们对自己进行身份验证。
Online stores generally perform this in one of two ways: 在线商店通常以以下两种方式之一执行此操作:
With option 1, its somewhat obvious how you can know which user orders what, because you have validated the user in your Ember.js app and on your server-side. 对于选项1,由于您已经在Ember.js应用程序中和服务器端验证了该用户,因此如何知道哪个用户订购什么在某种程度上显而易见。
With option 2, you still have to create an in-browser cookie or otherwise store an identifier that you can send to your server along with the user data. 使用选项2,您仍然必须创建浏览器内cookie或存储标识符,并将其与用户数据一起发送到服务器。 That way, when the user comes back from making their purchase, you can still identify what the user have purchased, and act accordingly in your app.
这样,当用户退出购物后,您仍然可以识别用户购买了什么,并在您的应用中采取相应的行动。
So you process will be something like: 因此,您的过程将类似于:
The downsides of this is that if the user uses another device, browser or deletes their cookies, that you won't be able to display the user with their previous purchase information. 这样做的缺点是,如果用户使用其他设备,浏览器或删除其Cookie,则您将无法向用户显示其先前的购买信息。
I hope that answers your questions. 我希望能回答您的问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.