处理登录在服务器端或客户端的用户数据更好吗?
[英]Is it better to handle logged in user data server-side or client-side?
问题描述
I'm building a stateless REST-based app with JWT auth. 
我正在使用JWT auth构建基于REST的无状态应用程序。 I can get (question relates to GET requests) all the users posts by implementing a variable server side that takes an ID parameter passed from the client: 通过实现采用从客户端传递的ID参数的变量服务器端,我可以获取(与GET请求有关的问题)所有用户的帖子:
http://example.com/api/v1/posts?user_id=1 http://example.com/api/v1/posts?user_id=1
$q = $q->where('user_id', '=', $data['user_id']);
Or, I could check the user ID server side, and create a new route to get only the logged in users posts: 或者,我可以检查用户ID服务器端,并创建一条新路线以仅获取已登录的用户帖子:
http://example.com/api/v1/me/posts http://example.com/api/v1/me/posts
$q = $q->where('user_id', '=', Auth::user->id());
When would I use each approach and why? 什么时候使用每种方法,为什么?
1 个解决方案
解决方案1
1 2018-02-18 15:23:03
This will depend of the level of access that you want for give a user to Post resources. 这将取决于您希望为用户提供Post资源的访问级别。
The first approach is give the any user the ability to access to resources of ANY user, for example: 第一种方法是赋予任何用户访问任何用户资源的能力,例如:
- Tweets of a Twitter public user. -Twitter公众用户的推文。
- Posts made by an author in a public magazine -作者在公共杂志上发表的帖子
- etc -等
The second approach is often used when yo want to restrict a user to only see his/her resources. 当您想限制用户仅查看其资源时,通常使用第二种方法。 For example: 例如:
- To see or edit his/her profile. -查看或编辑他/她的个人资料。
- Access historic data (like order details, likes, invoices) -访问历史数据(例如订单详细信息,喜欢,发票)
- etc -等
Protecting endpoints this way to prevent of user A modify or access content that he/she may not have permission to make/see. 通过这种方式保护端点,以防止用户A修改或访问他/她可能无权制作/查看的内容。
The use of any of those approaches will depend of the use case. 这些方法中的任何一种的使用将取决于用例。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.