3

我尝试使用 Phil Sturgeon (Codeigniter RestServer) 的出色工作为我服务。

我计划使用这个工作流程:

client --> client connect to my service with credentials 
server <-- check credentials in db, generate api-key for this user, and send it
client --> send request to get personal infos with new api-key in header
server <-- retrieve infos for this user from api-key, send infos
client --> another request with new api-key in header
server <-- check if api-key lifetime < 15m, if ok execute request and update lifetime else return timeout error
...

任何人都可以使用 RestServer X-API-KEY 帮助我做到这一点,或者我可以自己进行 API-KEY 管理?谢谢。

4

1 回答 1

0

You should not be doing this with the X-API-KEY used in the Library. The usage of the key is to authenticate apps that you have whitelisted to access your API.

In your case, what you want to do is get your app to generate an auth token and return that to the client. The client should then use the auth token to make requests.

The X-API-KEY should be used to verify that the request is coming from a whitelisted "client". Here's what the flow would look like:

client --> client connect to your service with credentials and x-api-key
server <-- verifies x-api-key, check credentials against db, generate auth token for this user, and sends it back in a response
client --> send request to get personal infos with auth token
server <-- checks validity of auth token, retrieve infos for this user and returns response client --> another request with auth token
server <-- check if auth token is still valid (check expiry time, etc) and return response

于 2013-04-10T04:47:31.920 回答