API身份验证流程
[英]API Authentication flow
问题描述
I'm currently writing an API in Go and have been racking my brain over how to do authentication/authorization correctly and securely. 
我目前正在Go中编写一个API,并且一直在思考如何正确安全地进行身份验证/授权。
As I understand it, this is how it goes: 据我了解,这就是它的方式:
- New user registers for account via
api/user/registerendpoint (orapi/user/loginfor existing users)新用户通过api/user/register端点(或现有用户的api/user/login)注册帐户 - Server receives request and checks that username is unique, etc. After that, it issues (if all is well) an access token and refresh token , both signed for added security. 服务器接收请求并检查用户名是否唯一等。之后,它会发出(如果一切正常) 访问令牌和刷新令牌 ,两者都签名以增加安全性。
- The client app receives the tokens and stores them in the browser cookie (or local/session Storage) and makes sure to send them securely over HTTPS in any subsequent requests to the API. 客户端应用程序接收令牌并将其存储在浏览器cookie(或本地/会话存储)中,并确保在任何后续API请求中通过HTTPS安全地发送它们。
- When receiving requests to protected routes, the server checks the access token's expiry date, and if expired, will check the refresh token's validity in the database. 当接收到受保护路由的请求时,服务器检查访问令牌的到期日期,如果过期,将检查刷新令牌在数据库中的有效性。 If it's invalid, ask for reauthentication clientside. 如果它无效,请求重新认证客户端。 Otherwise, reissue a new access token. 否则,重新发出新的访问令牌。
My questions are regarding the steps dealing with refresh tokens . 我的问题是关于刷新令牌的步骤。
I am also writing the client application (in React); 我也在编写客户端应用程序(在React中); I won't be releasing the API to the public. 我不会向公众发布API。 I simply am writing the backend as an API for the client app. 我只是将后端编写为客户端应用程序的API。
- Should I still use refresh tokens? 我还应该使用刷新令牌吗?
- Do I need an
api/auth/tokenroute?我需要api/auth/token路由吗? I keep reading about them in implementation examples and I feel like I can just have some helper functions to query the database and reissue tokens in my backend code instead of having to query another endpoint to do so.我在实现示例中继续阅读它们,我觉得我可以只使用一些辅助函数来查询数据库并在我的后端代码中重新发出令牌,而不必查询另一个端点来执行此操作。
Sorry if they're dumb questions, but I've been poring over page after page detailing the auth spec, and the subtle differences from page to page are leaving me confused and unsure of what is truly "best practice" in production. 对不起,如果他们是愚蠢的问题,但我一直在仔细阅读详细说明auth规范,页面之间的细微差别使我感到困惑,不确定什么是生产中真正的“最佳实践”。
1 个解决方案
解决方案1
0 2017-05-14 14:50:00
I think you are confusing this over the word login. 我认为你对登录这个词感到困惑。 Instead of /api/user/login I call it /api/user/authentication . 而不是/api/user/login我称之为/api/user/authentication 。 So if the request has a json attached to its body, it return a valid token. 因此,如果请求的json附加到其主体,则返回有效的令牌。 But if the request got a Authentication Header that is valid, you just issue a new token valid for the same period of time. 但是,如果请求获得了有效的Authentication Header,您只需在相同的时间段内发出一个有效的新令牌。 This is specially good for frontends, so you could try to re-auth automatically. 这对前端特别有用,因此您可以尝试自动重新验证。
newUser := types.User{}
if r.Body != nil {
err := json.NewDecoder(r.Body).Decode(&newUser)
...
}
authHeader := r.Header.Get("Authorization")
if authHeader != "" {
_, err := USERAUTH.CHeckJWT(w,r)
if err !=nil {
...,
}
newToken := GenerateTokenFromToken(token)
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.