如何在烧瓶上保护 REST Api
[英]How to secure a REST Api on flask
问题描述
I need to develop a Rest API on my app (Based on Flask)
我需要在我的应用程序上开发一个 Rest API(基于 Flask)
But I don't really know how I should secure it.但我真的不知道我应该如何保护它。
Currently, I have a normal authentication for users who are coming from a browser.目前,我对来自浏览器的用户进行了常规身份验证。 (Using the session etc.) (使用会话等)
But for the API users, should I ask the username/password at every API request ?但是对于 API 用户,我应该在每次 API 请求时询问用户名/密码吗? Is it really secured ?真的有保障吗? I know than a lot of web API use tokens for API calls, is it a best way ?我知道很多 Web API 使用令牌进行 API 调用,这是最好的方法吗?
And in this case, how to implement it ?在这种情况下,如何实现它? (This is not really my field of expertise..) Thanks a lot (这不是我真正的专业领域..)非常感谢
1 个解决方案
解决方案1
24 已采纳 2017-12-19 17:45:48
You should use token based authentication technique to secure your API , the concept is simple once your user signs in, your site should save it somewhere and you send back that token to your user.您应该使用token based authentication技术来保护您的API ,一旦您的用户token based authentication ,这个概念很简单,您的站点应该将其保存在某个地方,然后将该令牌发送回您的用户。
For each call to your API, user should send token with every API request and you should validate the encoded toke and either deny or send back the response.对于对您的 API 的每次调用,用户应随每个 API 请求发送令牌,您应验证编码的令牌并拒绝或发回响应。
Have a look here: https://realpython.com/blog/python/token-based-authentication-with-flask/看看这里: https : //realpython.com/blog/python/token-based-authentication-with-flask/
Check this too http://flask-jwt-extended.readthedocs.io/en/latest/检查这个http://flask-jwt-extended.readthedocs.io/en/latest/
For better performance, you can store your session tokens in a NOSQL database like Redis .为了获得更好的性能,您可以将会话令牌存储在像Redis这样的NOSQL数据库中。
To support logins with social media sites, you should use OAuth which is working in the same way except it send back a couple of more tokens to the client.为了支持使用社交媒体网站登录,您应该使用OAuth ,它以相同的方式工作,只是它向客户端发送回几个令牌。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.