symfony4在api密钥身份验证器中获取标头
[英]symfony4 get header in api key authentificator
问题描述
i want to pass the API token obtained in the login controller as an HTTP header to allow the ApiKeyAuthentificator to read it using $apiKey = $request->headers->get('apikey'); 
我想将在登录控制器中获得的API令牌作为HTTP标头传递,以允许ApiKeyAuthentificator使用$apiKey = $request->headers->get('apikey');读取它$apiKey = $request->headers->get('apikey'); . 。
I used to make it work using query parameters but this seems unsafe. 我曾经使用查询参数使其工作,但这似乎是不安全的。
- In the login controller 在登录控制器中
I set an apikey http header before returning the reponse: 我在返回响应之前设置了apikey http标头:
$response = $this->redirectToRoute('home');
$response->headers->set('apikey', $data->token);
return $response;
- In the home controller 在家庭控制器中
After successful redirection to home, if I var_dump the headers, the header is not set and request->headers->get('apikey') returns null . 成功重定向到home后,如果我var_dump标头,则未设置标头,并且request->headers->get('apikey')返回null 。
However , after redirection, if I open the network inspector and look for the POST request from the login controller, the header is set. 但是 ,重定向后,如果我打开网络检查器并从登录控制器中查找POST请求,则会设置标头。
But the header is not set in the GET request of the home, which I guess is why I cannot get it in the home controller using $apiKey = $request->headers->get('apikey'); 但是标头未在home的GET请求中设置,我想这就是为什么我无法使用$apiKey = $request->headers->get('apikey');在home控制器中$apiKey = $request->headers->get('apikey');
- In the ApiKeyAuthentificator 在ApiKeyAuthentificator中
Same issue. 同样的问题。 Cannot access the HTTP header using $apiKey = $request->headers->get('apikey'); 无法使用$apiKey = $request->headers->get('apikey');访问HTTP标头
If I set a cookie, I manage to get it in the home controller and the authentificator, why can't I with a header ? 如果设置了cookie,则设法在家庭控制器和身份验证器中获取它,为什么不能带标头?
How to correctly set and access an HTTP header using symfony requests / responses, and make it accessible from the authentificator ? 如何使用symfony请求/响应正确设置和访问HTTP标头,并使其可从身份验证器访问?
1 个解决方案
解决方案1
0 已采纳 2018-03-09 20:35:11
You've misunderstood the purpose of HTTP request/response headers here. 您在这里误解了HTTP请求/响应标头的用途。 Headers themselves are not designed in this raw form, as you are doing, to indicate any kind of session or persistence. 标题本身并不是像您所做的那样以这种原始形式设计的,以指示任何类型的会话或持久性。 HTTP itself is very stateless, with no request being related to any other that comes along. HTTP本身是非常无状态的,没有任何请求与随之而来的其他请求相关。
Your application can, and is, giving a header in its response but there is literally no reason at all why a web browser should include that same header again in future requests for the purpose of linking requests. 您的应用程序可以并且正在给出响应的标头,但是从根本上讲,没有理由为什么Web浏览器应该在以后的请求中再次包含相同的标头以链接请求。 Only a custom HTTP client/implementation, such as a bespoke native mobile/tablet app, would ever deliberately include an API key/token in HTTP headers directly. 只有定制的HTTP客户端/实现(例如定制的本机移动/平板电脑应用)会故意在HTTP标头中直接包含API密钥/令牌。 (No standard web browser would so this without some beefy Javascript implementation to handle literally all navigation.) (没有任何标准的Web浏览器会这样做,而没有一些强大的Javascript实现来处理所有的导航。)
Cookies are exactly what you need here. Cookies正是您在这里需要的。 Typically you don't need to worry about them too, because PHP has session variables of which you can store as much as you like, with a single cookie being used to associate future requests with a set of session variables. 通常,您也不必担心它们,因为PHP具有会话变量,您可以根据需要存储尽可能多的会话变量,并且使用单个cookie将将来的请求与一组会话变量相关联。 (Session identifier cookie, typically named "PHPSESSID".) (会话标识符cookie,通常命名为“ PHPSESSID”。)
The login controller should be storing anything related to the user's authenticated session in PHP's session variables once it has verified the user is genuine. 一旦确认用户是真实用户,登录控制器应该在PHP的会话变量中存储与用户身份验证的会话相关的任何内容。 Once that has been done a cookie will be passed to the client web browser with no further action required from you. 完成此操作后,无需您采取任何其他措施即可将Cookie传递到客户端Web浏览器。
-- -
This explanation is just conceptual though. 不过,这种解释只是概念上的。 Symfony being a very complete framework has taken care of this concept for you . Symfony是一个非常完整的框架,已为您解决了这一概念 。 The comment // or if you want to use an "apikey" header, then do something like this: is mainly for a custom web client (apps). 注释// or if you want to use an "apikey" header, then do something like this:主要用于自定义Web客户端(应用程序)。 If your goal is having a custom client side HTTP/web client then it's your job to remember token variables elsewhere in the app's memory, which would not be in a HTTP module as standard. 如果您的目标是使用自定义客户端HTTP / Web客户端,则记住应用内存中其他位置的令牌变量是您的工作,而令牌变量通常不在HTTP模块中。
I think what you may need from the article I linked is specifically the part about storing authentication in the session . 我认为您可能需要从我链接的文章中找到关于在会话中存储身份验证的部分。 The HTTP client will then only need to provide an API key once. 然后,HTTP客户端仅需要提供一次API密钥。
-- -
As for safety, a HTTP header is no safer than a query variable to anyone smart enough to know how a HTTP request is structured. 关于安全性,对于足够聪明的人来说,HTTP标头比查询变量更安全,因为它知道HTTP请求的结构。 (This is basic knowledge of HTTP.) This is on par with post variables being no safer than query variables. (这是HTTP的基本知识。)这与post变量并不比查询变量更安全。
- If you're using a standard web browser the only benefit is not seeing the API key in the address bar, but then you should be using a session cookie for these clients anyway rather than an API key in every subsequent request. 如果您使用的是标准的Web浏览器,唯一的好处是不会在地址栏中看到API密钥,但是无论如何,您应该为这些客户端使用会话cookie,而不是在每个后续请求中都使用API密钥。
- If you're creating a custom web client for an app then the custom header would be visible to someone snooping in on the HTTP traffic anyway just as easily as a query variable. 如果要为应用程序创建自定义Web客户端,则对HTTP流量进行窥探的人都可以看到自定义标头,就像查询变量一样容易。
Enforcing HTTPS is the only way you could effectively hide a custom HTTP header or query variable from traffic sniffers, offering exactly the same protection to each part of the request, and subsequent response. 强制使用HTTPS是您可以有效地对流量嗅探器隐藏自定义HTTP标头或查询变量的唯一方法,为请求的每个部分和后续响应提供完全相同的保护。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.