我了解 python-eve 支持 HMAC 或基于令牌的身份验证,即在每个请求的标头中包含令牌或哈希。然而,我们应该如何首先实现登录,即在我们向他们提供令牌/hmac 哈希之前验证用户名和密码的过程?我们应该接受如下所示的新路由方法并直接读取数据库还是有更好的方法来做到这一点?
app.route('/login', methods['POST'])
问问题
1046 次
2 回答
1
理想情况下,用户 ID、密钥和令牌是通过一些带外技术提供的,例如电子邮件、普通旧纸、网页(不推荐)。客户端将使用提供的密钥对所有请求进行签名。
登录不属于 REST 服务,它们根据定义是无状态的(它们不存储客户端的状态,这就是您对每个请求进行身份验证的原因。)
我的建议是在与 API 本身不同的服务/网站上处理用户注册。在任何情况下,请确保令牌/用户 ID/密钥正在带外发送。中间人攻击等可以欺骗密钥,然后使用它代表目标客户端签署 API 请求。
于 2014-04-29T08:00:25.553 回答
0
To properly implement token based authentication, ideally, you need to have an Identity Provider (IdP) to which you authenticate and returns a valid token (time limited) that you can then use in the Service Providers (i.e. your API) that trust the IdP.
This said, I guess you could do an initial basic auth as supported by Eve, and return a token that your client will use in subsequent requests. In my view, the security benefit would be that the credentials are vulnerable during the initial request only instead of on every single request. The drawback is that the IdP and the SP would be one and the same.
You can read more about token auth here:
- http://www.w3.org/2001/sw/Europe/events/foaf-galway/papers/fp/token_based_authentication/
- What is token based authentication?
Hope it helps.
于 2014-10-14T17:15:06.087 回答