我正在构建一个应用程序,以便更好地了解Restful后端与调用它的客户端。 我使用slim来处理路由和服务调用。 我虽然坚持两件事。
第1部分 - 如果restful API不应使用会话,如何保留authenticated和user_id等信息? 我理解将这些信息存储在cookie中是一种不好的做法。 一旦用户正常验证,我将使用$_SESSION['uid'] 。
第2部分 - 这部分对我来说更加困惑。 我正在使用Twig作为前端(不是很酷的js家伙)。 在同一台服务器上这样做我使用slim-view来渲染树枝。 但这意味着我的后端不会发送JSON,它正在做所有事情。 这样的事情是如何分开的? 这值得吗?
I am building an app to better understand Restful back-ends with clients that makes calls to it. I am using slim to handle routing and service calls. I am stuck on two things though.
Part 1 - If restful APIs should not use sessions how do I keep information like authenticated and user_id available? It was my understanding storing that information in a cookie was a bad practice. Once a user authenticated normally I would use $_SESSION['uid'].
Part 2 - This part is more confusing to me. I am using Twig for front-end (not a cool js guy). Doing so all on the same server I use slim-view to render twig. But that means my back-end is not sending JSON it is doing everything. How is something like this separated? Is it worth while?
最满意答案
第一部分
一种方法是创建一个临时的动态API密钥,使用此临时密钥,您可以对来自客户端的任何请求进行身份验证和授权。
在服务器端,您可以将此临时API密钥存储在一个表中,其中包含一些字段,以便在上次使用密钥时以及密钥有效期间跟踪。 通过执行此操作,您可以在服务器端使API密钥无效
客户端可以在任何地方存储密钥,但如果您要使用PHP那么我建议将其存储在session
旁注:这个答案基于我所使用的API。 表api_key的字段static用于仅可用于登录用户并获取随后用于身份验证和授权的动态密钥的密钥。
这是因为我们的客户端是用JS编写的,而static API密钥在源代码中是清晰可见的。 因此,客户端首先必须在获得“合法”api密钥之前发出登录请求
第2部分
您需要将客户端项目与服务器项目分离。 您的客户端应该只从服务器接收数据(例如JSON),您的服务器永远不应该担心如何仅向客户端发送数据。
客户端可以用任何语言编写,甚至可以托管在其他地方。 客户端唯一不能做的就是直接联系数据库。 它必须直接从服务器请求每条信息
Part one
One method is create a dynamic API key that is temporary, with this temp key you can then authenticate and authorize any request coming from the client.
On the server side you can store this temp API key inside a table with some fields to keep track when the key was last used and how long the key is valid. By doing this you can invalidate API keys at the server side
The client can store the key wherever but if you are going to use PHP then I suggest storing it in the session
sidenote: This answer is based on an API I worked on. The field static in the table api_key is used for keys that only can be used to login an user and obtain a dynamic key that then was used for authentication and authorization.
This was due to the fact that our client was written in JS and the static API key was plain visible in the source code. So the client first had to issue a login request before obtaining a "legit" api key
part 2
You need to decouple your client project from you server project. Your client should only ever receive data (e.g. JSON) from the server, your server should never worry about how to present the data only about sending it the client.
The client can be written in any language and can even be hosted somewhere else. The only thing a client can't do is contact the database directly. It has to request every piece of information straight from the server
更多推荐
发布评论