简体繁体 English

REST API 无前端注册新用户的设计模式

[英]REST API design pattern to register new users without frontend

原文 2022-05-30 10:59:37 4 1 rest/ http/ web-services/ restful-url

I am building a REST API with some CRUD resources (in laravel, if that matters).我正在构建一个带有一些 CRUD 资源的 REST API（在 laravel 中，如果重要的话）。 Now I came to the point where I need to add authentication to my application.现在我到了需要向我的应用程序添加身份验证的地步。 I personally would like to avoid building a whole user interface (as webpage, etc), but rather stick to a REST API that you can use with curl for example.我个人希望避免构建一个完整的用户界面（如网页等），而是坚持使用 REST API，例如可以与 curl 一起使用。

But how would you design such a pattern?但是你会如何设计这样的模式呢？ Should users register through the rest api, should I manually create new users?用户应该通过rest api注册，我应该手动创建新用户吗？ My system won't have much users, it is just a developer access where I want to give different companies access to the data.我的系统不会有太多用户，它只是一个开发人员访问权限，我想让不同的公司访问数据。

A login/session for REST does not make sense to me, it would also make the API more complicated, especially without frontend. REST 的登录/会话对我来说没有意义，它也会使 API 更复杂，尤其是没有前端。 Isn't there a common solution/pattern for that, that people already use?难道没有一个人们已经在使用的通用解决方案/模式吗？

So questions I am thinking about:所以我在想的问题：

Should people use something like /register or should I create users via cmd myself?人们应该使用/register之类的东西，还是我应该自己通过 cmd 创建用户？
How do I avoid that strangers could register?如何避免陌生人注册？ Or how would I handle giving out/upgrading permissions for specific users?或者我将如何处理特定用户的授予/升级权限？
Should I really create new users or only have a single user (me/admin) that gives out tokens with specific capabilities?我真的应该创建新用户还是只有一个用户（我/管理员）可以提供具有特定功能的令牌？
How to I manage roles/rights?如何管理角色/权限？ On a token basis, on a user basis or both?以令牌为基础，以用户为基础，还是两者兼而有之？
How do I transmit the token safely to the new user?如何将令牌安全地传输给新用户？ I'd like to avoid having complex email handling as well in my application.我想避免在我的应用程序中也进行复杂的 email 处理。

1 个解决方案

1. Should people use something like /register or should I create users via cmd myself? 1. 人们应该使用 /register 之类的东西，还是我应该自己通过 cmd 创建用户？
2. How do I avoid that strangers could register? 2.如何避免陌生人注册？ Or how would I handle giving out/upgrading permissions for specific users?或者我将如何处理特定用户的授予/升级权限？
5. How do I transmit the token safely to the new user? 5. 如何将令牌安全地传输给新用户？ I'd like to avoid having complex email handling as well in my application.我想避免在我的应用程序中也进行复杂的 email 处理。

Given:鉴于：

My system won't have much users我的系统不会有太多用户

and your question (2), it should be easy for you to manually manage registration - that is, whoever needs access to the APIs contacts you manually, and you update your user DB manually, and manually send them their access token.和你的问题（2），你应该很容易手动管理注册 - 也就是说，任何需要访问 API 的人都会手动联系你，你手动更新你的用户数据库，并手动向他们发送他们的访问令牌。

Usually API-based registration requires some access (in case the APIs are not public), and usually some proof that you're a human (eg CAPTCHA).通常基于 API 的注册需要一些访问权限（如果 API 不是公开的），并且通常需要一些证明您是人类的证据（例如 CAPTCHA）。 Manual interaction with you provides both.与您的手动交互提供了两者。

3. Should I really create new users or only have a single user (me/admin) that gives out tokens with specific capabilities? 3. 我真的应该创建新用户还是只有一个用户（我/管理员）可以提供具有特定功能的令牌？

It's a really bad practice to have multiple people/agents use the same user.让多个人/代理使用同一个用户是一种非常糟糕的做法。 For security, auditability, and possibly some features that you might not be anticipating at the moment, you should allocate a user for each agent/person using your APIs.对于安全性、可审计性以及您目前可能没有预料到的某些功能，您应该为使用 API 的每个代理/人员分配一个用户。