stackoom
  简体   繁体   中英

REST API design pattern to register new users without frontend

 原文  2022-05-30 10:59:37       rest/ http/ web-services/ restful-url

Question

I am building a REST API with some CRUD resources (in laravel, if that matters). Now I came to the point where I need to add authentication to my application. I personally would like to avoid building a whole user interface (as webpage, etc), but rather stick to a REST API that you can use with curl for example.

But how would you design such a pattern? Should users register through the rest api, should I manually create new users? My system won't have much users, it is just a developer access where I want to give different companies access to the data.

A login/session for REST does not make sense to me, it would also make the API more complicated, especially without frontend. Isn't there a common solution/pattern for that, that people already use?

So questions I am thinking about:

  1. Should people use something like /register or should I create users via cmd myself?
  2. How do I avoid that strangers could register? Or how would I handle giving out/upgrading permissions for specific users?
  3. Should I really create new users or only have a single user (me/admin) that gives out tokens with specific capabilities?
  4. How to I manage roles/rights? On a token basis, on a user basis or both?
  5. How do I transmit the token safely to the new user? I'd like to avoid having complex email handling as well in my application.

1 answers

solution1
 1  2022-05-31 05:04:23

1. Should people use something like /register or should I create users via cmd myself?
2. How do I avoid that strangers could register? Or how would I handle giving out/upgrading permissions for specific users?
5. How do I transmit the token safely to the new user? I'd like to avoid having complex email handling as well in my application.

Given:

My system won't have much users

and your question (2), it should be easy for you to manually manage registration - that is, whoever needs access to the APIs contacts you manually, and you update your user DB manually, and manually send them their access token.

Usually API-based registration requires some access (in case the APIs are not public), and usually some proof that you're a human (eg CAPTCHA). Manual interaction with you provides both.

3. Should I really create new users or only have a single user (me/admin) that gives out tokens with specific capabilities?

It's a really bad practice to have multiple people/agents use the same user. For security, auditability, and possibly some features that you might not be anticipating at the moment, you should allocate a user for each agent/person using your APIs.

4. How to I manage roles/rights? On a token basis, on a user basis or both?

It sounds like your case is simple enough to keep things simple and manage authorization based on users.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to prevent bots using REST API calls to register new users from an mobile app? REST API design, which pattern to use REST API URI Design for users and sessions? in a rest api design, is there a pattern to get history of object ASP.NET Web Api (REST): Authentication using the users credentials or a token? Leave "Register new user" resource password free? REST - Rails API Frontend Laravel REST API and frontend is it possible to built REST API without knowing about frontend for mobiles apps Design Pattern for versioning data objects in PHP Rest API What design pattern to implement in order to use a REST API?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM