无需用户身份验证即可保护REST Api的最佳方法
[英]Best way to protect a REST Api without requiring user authentication
问题描述
Is this even possible. 
这有可能吗?
The given scenario is I am building a store either with ember.js or backbone.js. 给定的场景是我正在使用ember.js或骨干.js建立商店。 The store will be able to get all the products and individual products as it should. 商店将能够按需获取所有产品和单个产品。 However when the user wants to buy an item they are taken directly to checkout and there is no cart or user signup/login process. 但是,当用户想要购买商品时,他们将被直接带到结帐处,并且没有购物车或用户注册/登录过程。 I am wondering if it's possible to somehow authenticate the new POST request that comes in to update the quantity and post back the users shipping info based not on if the user is logged in and has authenticated but maybe based on where the request is being made from? 我想知道是否有可能以某种方式对新来的POST请求进行身份验证以更新数量,并根据用户是否已登录并已通过身份验证而不是基于可能是从何处发出请求来回发用户的运输信息? For instance based on IP or based on the signature of the SSL certificate present on the client side. 例如,基于IP或基于客户端上存在的SSL证书的签名。
I've been using Parse to play with a backend and using ember for the front end to this point, ember data offers great resources to interface with REST apis but most require that the key be passed to the request somehow and thus placed right inside the client side code. 到目前为止,我一直在使用Parse来处理后端,并在前端使用ember,ember数据提供了与REST api交互的强大资源,但是大多数都要求将密钥以某种方式传递给请求,并因此直接放置在客户端代码。 Not good. 不好。 How can I achieve this with my given scenario or is it simply not possible? 如何在给定的情况下实现这一目标,或者根本不可能?
1 个解决方案
解决方案1
2 已采纳 2014-03-14 09:51:48
I am not sure how you will be able to distinguish which of your users ordered what, without somehow having them authenticate themselves. 我不确定您如何能够区分哪个用户订购了什么,而无需以某种方式让他们对自己进行身份验证。
Online stores generally perform this in one of two ways: 在线商店通常以以下两种方式之一执行此操作:
- Have the user sign up, and log in. This way the user is authenticated and validated 让用户注册并登录。通过这种方式对用户进行身份验证和验证
- Have the user supply shipping information on the page when the user makes a purchase 当用户进行购买时,让用户在页面上提供运送信息
With option 1, its somewhat obvious how you can know which user orders what, because you have validated the user in your Ember.js app and on your server-side. 对于选项1,由于您已经在Ember.js应用程序中和服务器端验证了该用户,因此如何知道哪个用户订购什么在某种程度上显而易见。
With option 2, you still have to create an in-browser cookie or otherwise store an identifier that you can send to your server along with the user data. 使用选项2,您仍然必须创建浏览器内cookie或存储标识符,并将其与用户数据一起发送到服务器。 That way, when the user comes back from making their purchase, you can still identify what the user have purchased, and act accordingly in your app. 这样,当用户退出购物后,您仍然可以识别用户购买了什么,并在您的应用中采取相应的行动。
So you process will be something like: 因此,您的过程将类似于:
- Create and assign a cookie to your user when they enter your site 在用户进入您的网站时创建Cookie并将其分配给您的用户
- When the user makes a purchase, you will ask the user for some extra information (shipping info, name, etc). 用户进行购买时,您将要求用户提供一些其他信息(运输信息,名称等)。 Send this to the server, which will then also receive the cookie-information. 将此发送到服务器,然后服务器还将接收cookie信息。
- When the user comes back from their purchase (I am assuming you are using a third party payment processor here, which will call back with a URL on your server), your server side will know the status of the purchase (approved, rejected, etc), and based on the cookie the user had at the time of purchase, you can show the user the status of their purchase. 当用户从购物中回来时(我假设您在这里使用第三方付款处理器,它将在您的服务器上使用URL进行回调),服务器端将知道购买的状态(已批准,已拒绝等) ),并根据用户购买时拥有的Cookie,可以向用户显示其购买状态。
The downsides of this is that if the user uses another device, browser or deletes their cookies, that you won't be able to display the user with their previous purchase information. 这样做的缺点是,如果用户使用其他设备,浏览器或删除其Cookie,则您将无法向用户显示其先前的购买信息。
I hope that answers your questions. 我希望能回答您的问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.