简体繁体 English

清洁架构和身份验证。正确方法？

[英]Clean Architecture and authentication. Correct way?

原文 2019-02-14 16:53:50 5 1 android/ authentication/ use-case/ clean-architecture

I'm working on an Android app based on Clean Architecture pattern and I have doubts how to implement user authentication in a clean way.我正在开发一个基于 Clean Architecture 模式的 Android 应用程序，但我怀疑如何以一种干净的方式实现用户身份验证。 Is the following solution clean in terms of clean architecture?就干净的架构而言，以下解决方案是否干净？

I would create use cases like below (executed from presentation layer):我会创建如下用例（从表示层执行）：

LoginUseCase (for provided login and password fetches api token via remote service and saves in local token source) LoginUseCase （用于提供的登录名和密码通过远程服务获取 api 令牌并保存在本地令牌源中）
LogoutUseCase (clears token from LocalTokenSource ) LogoutUseCase （从LocalTokenSource清除令牌）

( LocalTokenSource interface would be stored in domain layer and its implementation in data layer - kind of repository) （ LocalTokenSource接口将存储在域层中，其实现在数据层中 - 一种存储库）

And in order to perform token refresh at each app launch (it's not a use case from the user perspective, right?) I would create SessionManager component in domain layer.并且为了在每次应用程序启动时执行令牌刷新（从用户的角度来看这不是用例，对吗？）我将在域层创建SessionManager组件。 SessionManager would be responsible for refreshing token and saving it in LocalTokenSource . SessionManager将负责刷新令牌并将其保存在LocalTokenSource 。 Each time activity is started, from its presenter I would execute refreshToken() on injected SessionManager.每次活动开始时，从它的演示者那里我会在注入的SessionManager.上执行refreshToken() SessionManager. What do you think about the solution?您对解决方案有何看法？

If it's clean, then how to handle passing token to the remote service to execute other API methods which require token?如果它是干净的，那么如何处理将令牌传递给远程服务以执行其他需要令牌的 API 方法？ Lets say I have PostsRepository which fetches posts data from remote service.假设我有PostsRepository ，它从远程服务获取帖子数据。 Should I pass token from a use case to the repository method like repo.getPosts(token) ?我应该将令牌从用例传递给repo.getPosts(token)类的存储库方法吗？ Or inject LocalTokenSource to the repository, so it could read the token on its own?或者将LocalTokenSource注入存储库，以便它可以自己读取令牌？ Wouldn't the second option violate Clean Architecture rules, because LocalTokenSource would be used in 2 layers?第二个选项会不会违反 Clean Architecture 规则，因为LocalTokenSource将在 2 层中使用？

1 个解决方案

The central question you would have to decide is: Do you want to model authorization (and so the usage of the token) as an aspect of your business logic OR do you want to consider it as an "implementation detail".您必须决定的核心问题是：您是否要将授权（以及令牌的使用）建模为业务逻辑的一个方面，还是要将其视为“实施细节”。

If you decide for the first, having dedicated use cases for it, adding the SessionManager to the domain layer and passing the token to the repositories would be a consistent modeling.如果你决定第一个，有专门的用例，将 SessionManager 添加到域层并将令牌传递到存储库将是一致的建模。

If you decide for the later, login/logout/refresh as well as the existence of the token is probably best kept "behind the scenes", so in the framework or gateway layer.如果您决定稍后，登录/注销/刷新以及令牌的存在可能最好保留在“幕后”，因此在框架或网关层中。

Both approaches would follow the rules of the Clean Architecture (as long as you do not violate the dependency rule).这两种方法都将遵循 Clean Architecture 的规则（只要您不违反依赖项规则）。