简体繁体 English

通过 API 创建用户的最佳实践是什么？

[英]What is the best practice to create users via API?

原文 2020-02-28 23:21:59 6 1 security/ oauth-2.0/ architecture/ odoo/ software-design

I am building a mobile app which uses users and the Odoo backend.我正在构建一个使用用户和 Odoo 后端的移动应用程序。 The user should be able to create a user account via this mobile app.用户应该能够通过此移动应用程序创建用户帐户。 I can connect with the API and create a user but I am concerned about security issues.我可以连接 API 并创建用户，但我担心安全问题。

If the user already has an account, he should connect to the backend using his credentials (login and password).如果用户已经有一个帐户，他应该使用他的凭据（登录名和密码）连接到后端。 If not, he should be able to create an account.如果没有，他应该能够创建一个帐户。

Currently the user is allowed to create new users and I can do that via API, with a "global" user, which I use to connect to the backend and create the real user account.目前允许用户创建新用户，我可以通过 API 使用“全局”用户来创建新用户，我用它来连接到后端并创建真正的用户帐户。 After connecting to the backend, he is given a session_id.连接到后端后，他会得到一个 session_id。 Then he can create a new user.然后他可以创建一个新用户。 Afterwards, the new user is able to login with his own credentials and consume other services.之后，新用户可以使用自己的凭据登录并使用其他服务。

What is the best practice to use in this case?在这种情况下使用的最佳实践是什么？

Should I create a token or something to ensure the App is being accessed via device or to avoid possible hacker attacks eg creating a bunch of fake users, by discovering the database name, server and password, by faking the App use?我是否应该创建令牌或其他东西以确保通过设备访问应用程序或避免可能的黑客攻击，例如通过发现数据库名称、服务器和密码、伪造应用程序使用来创建一堆假用户？ What should I implement to avoid this security issue?我应该采取什么措施来避免这个安全问题？

Am I really threatened?我真的受到威胁了吗？ Should I really be concerned or is it already ok?我真的应该担心还是已经可以了？

This is most likely a Software Architecture question.这很可能是一个软件架构问题。 Any help is appreciated.任何帮助表示赞赏。 Thank you.谢谢你。