堆栈内存溢出
  简体   繁体   English

移动应用程序:用户写入数据库如何确定他们可以(身份验证)?

[英]Mobile App: users writing to DB how to be sure they can(authentication)?

 原文  2016-12-12 13:01:32       php/ security/ authentication/ login/ oauth

问题描述

I think it's important to say that I don't have any experience in the technologies nominated below, I have some idea what is going on, I've googled a lot, but still - more I google more dumb I feel. 我认为必须要说的是,我对以下提名的技术没有任何经验,我对正在发生的事情有一定的了解,我在Google上搜索了很多,但我仍然觉得自己更愚蠢。 :) :)

Making an app in Ionic 2, users of this app can read/write data about themself in DB. 在Ionic 2中制作应用程序,该应用程序的用户可以在DB中读取/写入有关其自身的数据。

I am using Wordpress as backend, actually users will change values in the table that was created by some Wordpress plugin. 我使用Wordpress作为后端,实际上用户将更改某些Wordpress插件创建的表中的值。

First problem - I have no experience at all. 第一个问题-我完全没有经验。
Second one - I must understand which user is knocking to the server. 第二个-我必须了解哪个用户正在敲服务器。 Because user can change only his own data in DB. 因为用户只能在DB中更改自己的数据。

I've solved it by creating a script that checks GET request from app & that request has a param with user nickname, so I have turned this script to template and assignined it to the page. 我已经通过创建一个脚本来解决该问题,该脚本检查来自应用程序的GET请求,并且该请求具有带有用户昵称的参数,因此我已将此脚本转换为模板并将其分配给了页面。 ( template was first thing that went to my mind, if you have better idea - please tell me how to do it better! ). (如果您有更好的主意,模板是我想到的第一件事-请告诉我如何做得更好!)。

Well now I knew who it is, but I disliked that this so unsecure! 好了,现在我知道是谁了,但是我不喜欢这样不安全! Its only GET request with user name in it and changes to bring into DB. 它唯一带有用户名的GET请求,然后更改以带入数据库。 NOT GOOD. 不好。 I've thought that I should send not only nickname but also some kind of a password, so I can check if the user is actually genuine user, well, you know. 我认为我不仅应该发送昵称,还应该发送某种密码,这样我就可以检查用户是否实际上是真实用户,好吧,您知道。

But knowing nothing about security, didn't know where to start so I've started googling. 但是对安全一无所知,不知道从哪里开始,所以我开始谷歌搜索。

I've find out that there is 'Basic Authentication' - disliked it because password is verry simple to decode (base64) and you must send it with every request (not safe). 我发现有“基本身份验证”-不喜欢它,因为密码非常容易解码(base64),并且您必须随每个请求一起发送(不安全)。

Then I thought about crypting pass with strong algorithm like bcrypt & then send it with the request. 然后我想到了使用bcrypt之类的强大算法对加密传递进行加密,然后随请求一起发送。 Disliked it too - because at the end you are always send a password even if strongly crypted. 也不喜欢它-因为最后,即使被高度加密,您也总是会发送密码。

Now I've started to look in the direction of Auth 1.0 (because saw that wordpress has a plugin for it, I know little about wp however). 现在,我开始着眼于Auth 1.0的方向(因为看到wordpress有一个插件,但是我对wp知之甚少)。

But after all I am not so sure that I am doing things in the right way. 但是毕竟我不确定我是否以正确的方式做事。 I must finish many things, but I am stuck with this security issue and I don't know if it's my paranoia and there is simplier ways to accomplish what I want to do. 我必须完成许多事情,但是我仍然会遇到这个安全问题,并且我不知道这是否是我的偏执狂,并且有更简单的方法可以完成我想做的事情。 Don't have much time, don't want to waste time anymore. 没有太多时间,不想再浪费时间了。

Please, someone who is pro in this stuff give me an advise how to do this thing in the right way! 请有经验的人给我一个建议,以正确的方式来做这件事! because I am going crazy with that stuff. 因为我对这些东西发疯了。

1 个解决方案

解决方案1
 0 已采纳  2016-12-12 19:31:38

The best practice is to issue an access token from your server to your (or even third-party) client application by the following steps. 最佳做法是通过以下步骤将访问令牌从服务器发布到您的(甚至是第三方)客户端应用程序。

  1. A user uses a client application. 用户使用客户端应用程序。
  2. The client application asks the user whether to use your service. 客户端应用程序询问用户是否使用您的服务。
  3. The user answers "yes". 用户回答“是”。
  4. The client application opens the authorization page of your service using a web browser. 客户端应用程序使用Web浏览器打开服务的授权页面。 In other words, the client application makes an authorization request to your authorization server . 换句话说,客户端应用程序向您的授权服务器发出授权请求
  5. The authorization page explains to the user that the client application is requesting some permissions and asks the user whether to approve it or not. 授权页面向用户说明客户端应用程序正在请求某些权限,并询问用户是否批准。
  6. The user inputs his/her ID and password into the login form in the authorization page and then presses the "approve" button. 用户在授权页面的登录表单中输入其ID和密码,然后按“批准”按钮。
  7. Your authorization server authenticates the user and issues an access token to the client application. 您的授权服务器对用户进行身份验证,并向客户端应用程序颁发访问令牌
  8. The client application accesses a Web API of your service with the access token. 客户端应用程序使用访问令牌访问您服务的Web API。
  9. The Web API of your service checks whether the presented access token is valid or not. 服务的Web API会检查显示的访问令牌是否有效。
  10. If the access token is valid, the Web API returns a successful response to the client application. 如果访问令牌有效,则Web API将成功响应返回给客户端应用程序。

RFC 6749 (The OAuth 2.0 Authorization Framework) defines 4 flows to issue an access token. RFC 6749 (OAuth 2.0授权框架)定义了4个发布访问令牌的流。 Check the specification. 检查规格。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何确保只有我的应用程序才能将数据插入数据库? - How to make sure only my app can insert data into the DB? 如何确保用户每个帖子只能投票一次 - How to make sure users can only vote once per post 编写一个基本的PHP MVC,不知道如何开始 - Writing a basic PHP MVC, not sure how to start 如何使广告仅对移动用户可见? - How can I make an ad visible only to mobile users? 用户如何向我的应用授予users_posts权限? - How can users grant my app the users_posts permission? 如何确保只有登录用户才能访问页面? - How do I make sure only logged-in users can acces a page? 如何确保除我自己的域下的脚本之外的所有脚本都不能包含db连接文件? - How to make sure no scripts except those under my own domain, can include the db connection file? 如何确定PHP json_encode将对我从数据库读取的任何数据进行编码? - How can I make sure PHP json_encode will encode whatever data I read from the db? 如何将移动网站用户重定向到移动版式 - How to redirect mobile site users to a mobile layout 一次将移动用户重定向到应用下载 - Redirect mobile users to app download once
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM