使用 Laravel 进行 REST api 身份验证
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/14461029/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
REST api authenication with laravel
提问by MrFoh
I am building a RESTful api with laravel using the RESTful controller property. So far i've been able to get most of it working. The issue am having now is authenication, am trying to use Amazon approach using a "user_id" and "signature". Am creating the signature using php's 'hash_hmac()'.
我正在使用 RESTful 控制器属性使用 laravel 构建 RESTful api。到目前为止,我已经能够使其大部分工作。现在的问题是身份验证,我正在尝试使用“user_id”和“签名”来使用 Amazon 方法。我正在使用 php 的“hash_hmac()”创建签名。
this an example api controller
这是一个示例 api 控制器
class Api_Tasks_Controller extends Api_Controller {
public $restful = true;
public function get_index($id = null) {
$this->verfiy_request();
if(!is_null($id))
{
return Response::json(array("tasks"=>"just one"),200);
}
else
{
return Response::json(array("tasks"=>"everthing"),200);
}
}
}
and this the api controller class
这是 api 控制器类
class Api_Controller extends Controller {
public function verify_request() {
//user id
$user_id = (int) Input::get('user_id');
//signature
$sig = Input::get('sig');
//Lookup user
$user = Sentry::user($user_id);
if($user) {
//user email
$email = $user->email;
//user api key
$api_key = $user->metadata['api_key'];
//recreate signature
$_sig = hash_hmac("sha256",$email.$user_id,$api_key);
if($_sig === $sig) {
return Response::json(array("message"=>"Request Ok"),200);
}
else {
return Response::json(array("message"=>"Request Bad"),400);
}
}
else {
return Response::json(array("message"=>"Request not authorized"),401);
}
}
Making a get request http://api.xyz.com/v1/tasks/1?user_id=1&sig=41295da38eadfa56189b041a022c6ae0fdcbcd5e65c83f0e9aa0e6fbae666cd8always returns a successful message even when i alter the value of the user_id parameter which should void the signature an make the request invalid.
It seems my verfiy_requestmethod is not executing.
Please help me out
http://api.xyz.com/v1/tasks/1?user_id=1&sig=41295da38eadfa56189b041a022c6ae0fdcbcd5e65c83f0e9aa0e6fbae666cd8即使我更改了应该使签名无效并使请求无效的 user_id 参数的值,发出获取请求也总是会返回成功的消息。看来我的verfiy_request方法没有执行。请帮帮我
回答by jonahlyn
I have also been researching this recently and would also recommend going with filters. It could work something like this:
我最近也在研究这个,也建议使用过滤器。它可以像这样工作:
class Api_Tasks_Controller extends Base_Controller {
public $restful = true;
function __construct() {
// Check if user is authorized
$this->filter('before', 'api_checkauth');
}
// rest of the class ....
}
And in your routes.php file:
在你的 routes.php 文件中:
Route::filter('api_checkauth', function()
{
//user id
$user_id = (int) Input::get('user_id');
//signature
$sig = Input::get('sig');
try {
//Lookup user
$user = Sentry::user($user_id);
if($user) {
//user email
$email = $user->email;
//user api key
$api_key = $user->metadata['api_key'];
//recreate signature
$_sig = hash_hmac("sha256",$email.$user_id,$api_key);
if($_sig === $sig) {
return Response::json(array("message"=>"Request Ok"),200);
}
else {
return Response::json(array("message"=>"Request Bad"),400);
}
}
else {
return Response::json(array("message"=>"Request not authorized"),401);
}
}
catch (Sentry\SentryException $e) {
$errors = $e->getMessage(); // catch errors such as user not existing or bad fields
return Response::json(array("message"=>$errors),404);
}
});
Also, thanks for introducing me to Sentry :-)
另外,感谢您向我介绍 Sentry :-)
回答by SelrahcD
It's a quick guess, I didn't try but maybe you might want to try to add a return statement before calling verify_request.
这是一个快速的猜测,我没有尝试,但也许您可能想在调用 verify_request 之前尝试添加 return 语句。
And you should look into filterswhich will allow you to separate more your api logic and api authentication ;-)
您应该研究过滤器,这将允许您将更多的 api 逻辑和 api 身份验证分开;-)
