堆栈内存溢出
  简体   繁体   English

用于“自我”的REST API过滤器

[英]REST API Filters for 'self'

 原文  2018-05-31 04:30:21       rest/ api/ security/ restful-architecture

问题描述

I have a lot of APIs that are to be dual-use, by both an end-user and administrative staff. 我有许多最终用户和管理人员都可以双重使用的API。 I will use preferences and give two examples: 我将使用首选项并给出两个示例:

  • /user/preferences - This give the end-user their preferences / user / preferences-这给最终用户他们的偏好
  • /users/{user}/preferences - This gives any person's preferences / users / {user} / preferences-这给出了任何人的偏好

Clearly this is leading to duplication. 显然,这导致了重复。 Of-course, I can use only '/users/{user}/preferences' for both end-users and administrators, but then I end up with other problems: 当然,对于最终用户和管理员,我只能使用'/ users / {user} / preferences',但是最后我遇到了其他问题:

1) The person will need to put in their user ID into each call, which is clunky. 1)此人需要在每次通话中输入用户ID,这很麻烦。

2) Security will now become a problem, as the backend needs to ensure that each request is being managed correctly, ie A malicious person cannot put in another person's ID and retrieve their preferences. 2)现在,安全性将成为一个问题,因为后端需要确保正确处理每个请求,即,恶意人员无法输入他人的ID并检索其首选项。

What's the best pattern to follow here? 在这里遵循的最佳模式是什么?

1 个解决方案

解决方案1
 0  2018-05-31 05:44:45

One option is to make the /user/preferences take an optional ?userid= parameter for the admin calls. 一种选择是使/user/preferences为管理员调用采用可选的?userid=参数。 Then you can use the same endpoint and branch based on admin == true && args[userid] . 然后,您可以基于admin == true && args[userid]使用相同的端点和分支。

The comment on proxy api endpoints is good too where a less specific call ( /user/preferences ) calls a more specific endpoint ( /user/{userid}/preferences ). 在不太具体的调用( /user/preferences )调用更具体的端点( /user/{userid}/preferences )的情况下,对代理api端点的注释也很好。

Either are good options. 都是不错的选择。 A lot of people put all the admin calls under /admin/... and add a handler to verify the caller is actually an admin before routing to the regular calls ( /admin/users/preferences -> verify is_admin -> /users/preferences?userid=bob ). 很多人将所有admin调用放在/admin/...并添加一个处理程序以确认呼叫者实际上是admin,然后再路由到常规调用( /admin/users/preferences >验证is_admin-> /users/preferences?userid=bob )。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Magento API Rest过滤器 - Magento API Rest filters magento 2 rest api产品过滤器 - magento 2 rest api product filters 过滤器被 Salesforce Reporting REST API 忽略了? - Filters ignored with Salesforce Reporting REST API? 使用Nuxt的Wordpress Rest API上的累积过滤器 - Cumulative filters on wordpress rest api with nuxt 如何最好地设计具有多个过滤器的REST API? - How best to design a REST API with multiple filters? ARM REST API中的多个资源过滤器 - Multiple resource filters in ARM REST API Magento1.9 Rest Api 过滤器 - Magento1.9 Rest Api filters Loopback REST API筛选器在Linux上是否区分大小写? - Are Loopback REST API Filters Case Insensitive on Linux? 如何使用keycloak rest api自行注册用户 - How to self register user with keycloak rest api REST API:将PUT放入包含查询参数过滤器的资源是否可以接受? - REST API: Is it acceptable to PUT to resource containing query param filters?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM