[英]API Authentication flow
I'm currently writing an API in Go and have been racking my brain over how to do authentication/authorization correctly and securely. 我目前正在Go中编写一个API,并且一直在思考如何正确安全地进行身份验证/授权。
As I understand it, this is how it goes: 据我了解,这就是它的方式:
api/user/register
endpoint (or api/user/login
for existing users) api/user/register
端点(或现有用户的api/user/login
)注册帐户 My questions are regarding the steps dealing with refresh tokens . 我的问题是关于刷新令牌的步骤。
I am also writing the client application (in React); 我也在编写客户端应用程序(在React中); I won't be releasing the API to the public.
我不会向公众发布API。 I simply am writing the backend as an API for the client app.
我只是将后端编写为客户端应用程序的API。
api/auth/token
route? api/auth/token
路由吗? I keep reading about them in implementation examples and I feel like I can just have some helper functions to query the database and reissue tokens in my backend code instead of having to query another endpoint to do so. Sorry if they're dumb questions, but I've been poring over page after page detailing the auth spec, and the subtle differences from page to page are leaving me confused and unsure of what is truly "best practice" in production. 对不起,如果他们是愚蠢的问题,但我一直在仔细阅读详细说明auth规范,页面之间的细微差别使我感到困惑,不确定什么是生产中真正的“最佳实践”。
I think you are confusing this over the word login. 我认为你对登录这个词感到困惑。 Instead of
/api/user/login
I call it /api/user/authentication
. 而不是
/api/user/login
我称之为/api/user/authentication
。 So if the request has a json attached to its body, it return a valid token. 因此,如果请求的json附加到其主体,则返回有效的令牌。 But if the request got a Authentication Header that is valid, you just issue a new token valid for the same period of time.
但是,如果请求获得了有效的Authentication Header,您只需在相同的时间段内发出一个有效的新令牌。 This is specially good for frontends, so you could try to re-auth automatically.
这对前端特别有用,因此您可以尝试自动重新验证。
newUser := types.User{}
if r.Body != nil {
err := json.NewDecoder(r.Body).Decode(&newUser)
...
}
authHeader := r.Header.Get("Authorization")
if authHeader != "" {
_, err := USERAUTH.CHeckJWT(w,r)
if err !=nil {
...,
}
newToken := GenerateTokenFromToken(token)
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.