[英]Mobile App: users writing to DB how to be sure they can(authentication)?
I think it's important to say that I don't have any experience in the technologies nominated below, I have some idea what is going on, I've googled a lot, but still - more I google more dumb I feel. 我认为必须要说的是,我对以下提名的技术没有任何经验,我对正在发生的事情有一定的了解,我在Google上搜索了很多,但我仍然觉得自己更愚蠢。 :)
:)
Making an app in Ionic 2, users of this app can read/write data about themself in DB. 在Ionic 2中制作应用程序,该应用程序的用户可以在DB中读取/写入有关其自身的数据。
I am using Wordpress as backend, actually users will change values in the table that was created by some Wordpress plugin. 我使用Wordpress作为后端,实际上用户将更改某些Wordpress插件创建的表中的值。
First problem - I have no experience at all. 第一个问题-我完全没有经验。
Second one - I must understand which user is knocking to the server. 第二个-我必须了解哪个用户正在敲服务器。 Because user can change only his own data in DB.
因为用户只能在DB中更改自己的数据。
I've solved it by creating a script that checks GET request from app & that request has a param with user nickname, so I have turned this script to template and assignined it to the page. 我已经通过创建一个脚本来解决该问题,该脚本检查来自应用程序的GET请求,并且该请求具有带有用户昵称的参数,因此我已将此脚本转换为模板并将其分配给了页面。 ( template was first thing that went to my mind, if you have better idea - please tell me how to do it better! ).
(如果您有更好的主意,模板是我想到的第一件事-请告诉我如何做得更好!)。
Well now I knew who it is, but I disliked that this so unsecure! 好了,现在我知道是谁了,但是我不喜欢这样不安全! Its only GET request with user name in it and changes to bring into DB.
它唯一带有用户名的GET请求,然后更改以带入数据库。 NOT GOOD.
不好。 I've thought that I should send not only nickname but also some kind of a password, so I can check if the user is actually genuine user, well, you know.
我认为我不仅应该发送昵称,还应该发送某种密码,这样我就可以检查用户是否实际上是真实用户,好吧,您知道。
But knowing nothing about security, didn't know where to start so I've started googling. 但是对安全一无所知,不知道从哪里开始,所以我开始谷歌搜索。
I've find out that there is 'Basic Authentication' - disliked it because password is verry simple to decode (base64) and you must send it with every request (not safe). 我发现有“基本身份验证”-不喜欢它,因为密码非常容易解码(base64),并且您必须随每个请求一起发送(不安全)。
Then I thought about crypting pass with strong algorithm like bcrypt & then send it with the request. 然后我想到了使用bcrypt之类的强大算法对加密传递进行加密,然后随请求一起发送。 Disliked it too - because at the end you are always send a password even if strongly crypted.
也不喜欢它-因为最后,即使被高度加密,您也总是会发送密码。
Now I've started to look in the direction of Auth 1.0 (because saw that wordpress has a plugin for it, I know little about wp however). 现在,我开始着眼于Auth 1.0的方向(因为看到wordpress有一个插件,但是我对wp知之甚少)。
But after all I am not so sure that I am doing things in the right way. 但是毕竟我不确定我是否以正确的方式做事。 I must finish many things, but I am stuck with this security issue and I don't know if it's my paranoia and there is simplier ways to accomplish what I want to do.
我必须完成许多事情,但是我仍然会遇到这个安全问题,并且我不知道这是否是我的偏执狂,并且有更简单的方法可以完成我想做的事情。 Don't have much time, don't want to waste time anymore.
没有太多时间,不想再浪费时间了。
Please, someone who is pro in this stuff give me an advise how to do this thing in the right way! 请有经验的人给我一个建议,以正确的方式来做这件事! because I am going crazy with that stuff.
因为我对这些东西发疯了。
The best practice is to issue an access token from your server to your (or even third-party) client application by the following steps. 最佳做法是通过以下步骤将访问令牌从服务器发布到您的(甚至是第三方)客户端应用程序。
RFC 6749 (The OAuth 2.0 Authorization Framework) defines 4 flows to issue an access token. RFC 6749 (OAuth 2.0授权框架)定义了4个发布访问令牌的流。 Check the specification.
检查规格。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.