REST API,基于令牌的身份验证
[英]REST API with token based authentication
问题描述
I want to develop a web site with AngularJS. 
我想用AngularJS开发一个网站。 On the backend side I will use Codeigniter REST framework. 在后端,我将使用Codeigniter REST框架。 I have some security issues and I don't want to start developing without fixing them on my mind. 我有一些安全问题,我不想在没有修复它的情况下开始开发。
I don't want to use something like api key because it will be reachable by the client and I think it will not secure my methods on api side. 我不想使用像api键这样的东西,因为它可以被客户端访问,我认为它不会保护我在api方面的方法。 I'm thinking to use token based authentication but I don't know if it is suitable for my case. 我正在考虑使用基于令牌的身份验证,但我不知道它是否适合我的情况。 Do I need to verify the user for every request to server? 我是否需要为服务器的每个请求验证用户? Or is it enough to use just api key for backend side? 或者仅仅使用api密钥用于后端端? And also I am planning to use this api with applications on the different platforms in the future. 此外,我计划将来在不同平台上使用此api应用程序。
I can't decide what to do. 我无法决定该怎么做。 If anyone advice me something I will be very appreciate. 如果有人建议我,我将非常感激。
1 个解决方案
解决方案1
3 已采纳 2015-06-22 08:58:43
You can use an API key, however - as you wrote - it's pure protection and easily accessible value - potential abuser just needs to view the source or investigate the queries. 您可以使用API密钥,但是 - 正如您所写的那样 - 它是纯粹的保护和易于访问的价值 - 潜在的滥用者只需要查看源或调查查询。
In general REST APIs are secured with tokens. 通常,REST API使用令牌进行保护。 At the beginning of the session (not in traditional meaning - rather interaction), client needs to authorize itself and if everything is correct, it will be given a token. 在会话开始时(不是传统意义 - 相当交互),客户端需要授权自己,如果一切正确,它将被赋予令牌。 This token should be included as a header to all subsequent requests that need protection. 此标记应作为标题包含在所有需要保护的后续请求中。 You may use simple filter on the backend side that will be protecting selected endpoints via verifying it the token that was sent is valid. 您可以在后端使用简单的过滤器,通过验证已发送的令牌是否有效来保护选定的端点。 This is how it works. 这是它的工作原理。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.