简体繁体 English

PHP-带有身份验证的手机的RESTful API

[英]PHP - RESTful API for mobiles with authentication

原文 2014-04-08 14:16:52 2 2 php/ api/ rest/ authentication/ basic-authentication

I found many questions/answers here and many articles in other websites but I have still a few questions which I need to answer before I can start and I just can't find answers for them. 我在这里找到了很多问题/答案，在其他网站上也找到了很多文章，但是仍然有一些问题需要我回答才能开始，而我只是找不到他们的答案。 I want to create restful api for mobile apps (and for some frontend). 我想为移动应用程序（和某些前端）创建Restful API。

I choose Basic Authentication via HTTPS because I guess it's enough for now and it looks easy to implement. 我选择通过HTTPS进行基本身份验证，因为我想现在已经足够了，并且看起来很容易实现。 So I should have username and hashed password saved in dabatase right? 所以我应该在dabatase中保存用户名和哈希密码，对吗？ Then when user write username and password in app I hashed password and both encrypt by Base64 and add to HTTP header right? 然后，当用户在应用程序中写入用户名和密码时，我对密码进行了哈希处理，并且都通过Base64加密并添加到HTTP标头，对吗？ How can I decrypt this and check with database on server-side? 我该如何解密并在服务器端检查数据库？ How it would change with salt? 盐会如何变化？

And after I check username and password with previous call then how can I save this session? 在检查上一次呼叫的用户名和密码后，如何保存此会话？ Should I create some session-id/token (random string) and save it to column in users table and send it back to mobile app and then using it for other calls (with some timestamp for expiration)? 我是否应该创建一些session-id/token （随机字符串）并将其保存到users表中的列，然后将其发送回移动应用程序，然后用于其他调用（带有一些到期时间戳）？ Could it be via HTTP (no secure)? 可以通过HTTP（不安全）吗？ Like web.com/api?token=ASsF234Silkj&data=... Or I must always use HTTPS after authentication? 像web.com/api?token=ASsF234Silkj&data=...还是在身份验证后必须始终使用HTTPS？

How will it change when I use some API key (private) in all apps which would use this API? 当我在所有使用此API的应用程序中使用一些API密钥（专用）时，它将如何改变？ I know I can hide key and don't send it via requests (use it just for encryption) but what if someone try to read .apk and get API key? 我知道我可以隐藏密钥，并且不通过请求发送密钥（仅用于加密），但是如果有人尝试读取.apk并获取API密钥怎么办？

2 个解决方案

So I should have username and hashed password saved in database right? 所以我应该在数据库中保存用户名和哈希密码，对吗？

Yes, you should hash it, don't use MD5 or SHA1, they are now no more secured. 是的，您应该对其进行哈希处理，不要使用MD5或SHA1，因为它们现在已不再安全。 Use SHA2 or SHA3. 使用SHA2或SHA3。

Then when user write username and password in app I hashed password and both encrypt by Base64 and add to HTTP header right? 然后，当用户在应用程序中写入用户名和密码时，我对密码进行了哈希处理，并且都通过Base64加密并添加到HTTP标头，对吗？

Base64 is not hash function, you can get original content from base64 , it's just a encoding way.. Yes you have to put credentials to HTTP header. Base64不是哈希函数，您可以从base64获取原始内容 ，这只是一种编码方式。是的，您必须将凭据放入HTTP标头。 While sending user name and password (hash or plain), use HTTPS connection. 在发送用户名和密码（哈希或普通密码）时，请使用HTTPS连接。 Sending hash in HTTP connection is vulnerable to replay attack . 在HTTP连接中发送哈希很容易受到重放攻击 。

How can I decrypt this and check with database on server-side? 我该如何解密并在服务器端检查数据库？ How it would change with salt? 盐会如何变化？

If you send Hash , you cannot decrypt it (that the sole purpose of Hash). 如果发送Hash，则无法对其进行解密（这仅是Hash的目的）。 I would recommend you following: 1) send user name and password to server via https 2) create hash at server and check with the existing hash in database. 我建议您执行以下操作：1）通过https将用户名和密码发送到服务器2）在服务器上创建哈希，并检查数据库中的现有哈希。

And after I check username and password with previous call then how can I save this session? 在检查上一次呼叫的用户名和密码后，如何保存此会话？

depends on which langauge you are using 取决于您使用的是哪种语言

Should I create some session-id/token (random string) and save it to column in users table and send it back to mobile app and then using it for other calls (with some timestamp for expiration)? 我是否应该创建一些会话ID /令牌（随机字符串）并将其保存到users表中的列，然后将其发送回移动应用程序，然后用于其他调用（带有一些到期时间戳）？ Could it be via HTTP (no secure)? 可以通过HTTP（不安全）吗？

you can do that but use HTTPS, and do not use time stamp, it is very unsecure. 您可以这样做，但是可以使用HTTPS，并且不使用时间戳，这是非常不安全的。 Rather generate long random string 而是生成长随机字符串

How will it change when I use some API key (private) in all apps which would use this API? 当我在所有使用此API的应用程序中使用一些API密钥（专用）时，它将如何改变？

??? ???

I know I can hide key and don't send it via requests (use it just for encryption) but what if someone try to read .apk and get API key? 我知道我可以隐藏密钥，并且不通过请求发送密钥（仅用于加密），但是如果有人尝试读取.apk并获取API密钥怎么办？

Do not put key in APK, generate it locally if it is private key (if i got what you mean) 不要将密钥放入APK，如果它是私钥则在本地生成（如果我明白了你的意思）

First off, base64 is not encryption 首先， base64 不加密

While it is possible to integrate basic http authentication with sessions it is not a trivial task. 虽然可以将基本的HTTP身份验证与会话集成在一起，但这并不是一件容易的事。 And it's very easy to end up with something which is insecure (especially judging from the level of skill evidenced in your question). 而且很容易得出不安全的结论（尤其是从问题中证明的技能水平来判断）。

You seem to have planned out most of what you want to acheive - but you've got most of it wrong already. 您似乎已经计划了要实现的大多数功能-但是您已经错了很多。

Whether you should continue to use HTTPS after authentication depends if your service has any intrinsic value. 身份验证后是否应继续使用HTTPS取决于您的服务是否具有任何内在价值。

Similarly how you implement surrogate authentication tokens (including API keys) depeds on the security model. 同样，如何实现代理身份验证令牌（包括API密钥）取决于安全模型。 Stick to using HTTPS everywhere and you should not have to worry about changing / encrypting the API key. 坚持在所有地方使用HTTPS，您不必担心更改/加密API密钥。