本文是小编为大家收集整理的关于REST API。我需要对注销动作进行认证吗?的处理/解决方法,可以参考本文帮助大家快速定位并解决问题,中文翻译不准确的可切换到English标签页查看源文。
问题描述
我正在编写一个REST API服务器(使用Rails),这里是一个关于 session management 的问题.
我认为对于一个REST API服务器,我们不需要为每个用户保存登录状态(或 session ).因此,我只需为每个用户添加身份验证令牌.如果它们登录,此服务器将将此令牌返回给它们,如果退出,则销毁它.
,我想知道是否有必要验证这个令牌销毁动作?可能有一个恶意用户遍历所有可能的令牌( moser!)并将它们包裹在删除请求中给我的服务器...
非常感谢!
推荐答案
restful web服务的一个方面是无状态 wikipedia 文章.
客户端 - 服务器通信通过在请求之间没有存储在服务器上没有客户端上下文进一步约束.来自任何客户端的每个请求都包含服务请求所需的所有信息,并且在客户端中保持会话状态.
服务器不应包含关于会话的任何信息,即必须在每个请求中包含身份验证信息,并且不需要登录或注销方法.
最佳实践将提供资源(如某些OAuth2实现),其返回具有特殊范围和到期时间的令牌.在创建过程中,令牌应存储在后端的数据库中.令牌到期后,必须从数据库中删除信息,客户端必须获取令牌的新副本.
更新:
@ekkehard,这正是我的意思是什么意思.使用会话ID,cookie和会话超时,令牌应由其他资源提供,而不是使用状态的HTTP会话.
[...]没有客户端上下文存储在请求之间的服务器上.
如果客户端想要访问后端的特殊服务,它必须向令牌资源发送发布请求(后端将新令牌存储在数据库中的特殊到期时间).
在POST请求中,客户还可以提供额外的查询参数范围,以创建令牌,只允许您访问后端的特殊部分(谷歌例如提供许多不同的API,如Google Drive,等等,如果客户端是邮件应用程序,只需要访问Google邮件.它是一个额外的安全功能.).
响应返回令牌,客户端必须在每个请求的标题中添加此令牌对其他资源.
来自任何客户端的每个请求都包含服务请求所需的所有信息,并且在客户端中保持会话状态.
将根据存储在数据库中的信息从后端验证令牌.
令牌资源也可以提供删除HTTP方法,允许用户在到期时间结束前删除现有令牌.到期超时后,将从后端数据库自动删除令牌.
其他推荐答案
如果有人知道你的令牌,那么他们可以用它来验证你.换句话说,通过将令牌发送到删除,您正在验证自己.在删除操作中,不需要超出令牌的额外凭据.
有太多可能的令牌来迭代这是一个合理的攻击.您担心的攻击并不是删除的独特.如果用户可以迭代所有令牌,那么他们将能够冒充任何用户的任何操作.
其他推荐答案
您可以使用身份验证令牌for api.如果您的用户名和密码匹配,概念很简单,您只需创建令牌并发送给用户.
您需要为此令牌设置一个过期时间.
到期时间或当API请求销毁时,您只需删除此令牌.
令牌必须使用每个请求发送.
在这种方法中,您不需要任何会话.
问题描述
I'm writing a REST API server(using Rails), and here is a question about session management.
I think for a REST API server, we don't need to save the log in state(or session) for each user. So I just add an authentication token for each user. If they log in, this server will return this token to them, and if log out, destroy it.
And I'm wondering if it's necessary to authenticate this token destroy action? There might be a malicious user who iterate all possible tokens(maybe!) and wrap them in a DELETE request to my server...
Thanks a lot!
推荐答案
One of the aspects of restful web services is statelessness as described in the Wikipedia article.
The client–server communication is further constrained by no client context being stored on the server between requests. Each request from any client contains all the information necessary to service the request, and session state is held in the client.
The server should not contain any information about sessions, that means, that the authentication information must be contained in each request and no login or logout methods are needed.
Best practice would be providing a resource (like some OAuth2 implementations), that returns a token with a special scope and an expiration time. At the creating process, the token should be stored in the database of the backend. After the token expires, the information must be deleted from the database and the client has to obtain a new copy of the token.
UPDATE:
@Ekkehard, that's exactly what I meant with my comment. Instead of using ‚stateful' http sessions with a session id, cookies and a session timeout, the token should be provided by an additional resource.
[...] no client context being stored on the server between requests.
If the client wants to access special services of the backend, it had to send a POST request to the token resource (where the backend stores the new token with a special expiration time in the database).
In the POST request, the client could also provide an additional query parameter scope, to create a token, that only allows you to access special parts of your backend (Google for example provides many different APIs like Google Drive, Google Mail, etc. and if the client is a mail application only access to Google Mail is necessary. It’s an additional security feature.).
The response returns the token and the client had to add this token in the header of each request to other resources.
Each request from any client contains all the information necessary to service the request, and session state is held in the client.
The tokens will be verified from the backend based on the information stored in the database.
Token resources could also provide a DELETE http method, to allow the user to delete existing tokens before the end of the expiration time. After the expiration timeout, the tokens will be automatically deleted from the database of the backend.
其他推荐答案
If someone knows your token then they can use it to authenticate as you. In other words, by sending the token in to delete, you are authenticating yourself. No additional credentials beyond the token should be needed in a DELETE action.
There are simply too many possible tokens to iterate over for this to be a plausible attack. The attack you are worrying about is not unique to DELETE. If a user could iterate over all tokens then they would be able to impersonate any user for any action.
其他推荐答案
You can use authentication token for API. Concept is simple if your username and password matched you just create a token and send to user.
You need to set a expiration time for this token.
After expiration time or when API request for destroy you just delete this token.
Token must be send with each request.
In this approach you don't need any session.
更多相关问答
联系站长