发表文章

[Javascript] API 认证的最佳方法 [问题] "Best way to have API Auth [question]"[adonis-framework]

nigeltiany 17天前 6

我的身份验证控制器

constlogin=yieldbasicAuth.validate(email,password);
 if (login) {
   constuser=yieldUser.findBy('email',email);
   //TODO Generate API access token
   var=yieldrequest.auth.generate(user);
   user.apiTokens().save(token);
   response.cookie('token',token,{
     //TODO set secure for production
     //secure:true,
   });

   response.send({success:true,cookies:request.cookies()})
   return
 }

和我的 API 路由

Route.group('api',function () {
  Route.resources('user','api/UserController');
}).prefix('/api/v1').middleware('auth:api');

但是在登录和写了一个令牌 cookie 之后, 在访问路由时仍然得到无效的身份验证错误。
我错过了什么?是否有更好的方法来执行 API 授权?

原文:

I my Auth Controller as

const login = yield basicAuth.validate(email,password);
 if (login) {
   const user = yield User.findBy('email',email);
   //TODO Generate API access token
   var token = yield request.auth.generate(user);
   user.apiTokens().save(token);
   response.cookie('token',token,{
     //TODO set secure for production
     //secure:true,
   });

   response.send({success:true,cookies:request.cookies()})
   return
 }

And my API Route as

Route.group('api',function () {
  Route.resources('user','api/UserController');
}).prefix('/api/v1').middleware('auth:api');

But after login in and writing a token cookie and still get Invalid Auth Error when accessing the route.
What am i missing? Is there a better way to do API auth?

相关推荐
最新评论 (12)
thetutlage 17天前
1

@nigeltiany只要确保格式化的问题, 按照规范在这里定义https://guides.github.com/features/mastering-markdown/

接下来, 我不明白为什么你要一起使用基本的认证 + API 认证?

原文:

@nigeltiany Just make sure to format questions as per specs define here https://guides.github.com/features/mastering-markdown/.

Next, I don't understand why are you using Basic Auth + API Auth together?

nigeltiany 17天前
2

@thetutlage什么是更好的方法呢?

  1. 是否向具有该方法的路由发送 post 请求

    constisLoggedIn=yieldrequest.auth.check()

    是否从请求中检查数据库的用户名和密码?

  2. 配置/授权. js中的 api 配置节允许将不同的字段设置为使用函数进行身份验证 auth.check() 吗?

我使用基本的身份验证来检查用户凭据是否存在, api 授权分配一个令牌, 然后将其作为 cookie 发送, 然后将其保存到数据库中。

原文:

@thetutlage What would be a better way to do it?

  1. Does sending a post request to a route that has the method

    const isLoggedIn = yield request.auth.check()

    check the database for username and password from the request?

  2. Does api config section in config/auth.js allow setting different fields to be used for authentication with the auth.check() function?

I used basic auth to check if a user credentials exist, the api auth to assign a token, send it as a cookie then save it to the database.

thetutlage 17天前
3

您必须只使用一种身份验证技术来访问受限制的路由。当使用 basicAuth 您的客户将不得不登录, 因为 basicAuth 是无状态身份验证。

阅读此http://security.stackexchange.com/questions/755/how-does-basic-http-auth-work

在阿多尼斯, 你可以利用认证中间件

Route.group('api',function () {
  Route.resources('user','api/UserController');
}).prefix('/api/v1').middleware('auth:basic');

现在, 任何没有 basic auth 报头的请求都将被中间件本身拒绝。身份验证器将负责为您验证凭据。

原文:

You must only use one authentication technique to give access to restricted routes. When using basicAuth your customers will have to login, since basicAuth is stateless authentication.

Read this http://security.stackexchange.com/questions/755/how-does-basic-http-auth-work

In Adonis you can make use of the auth middleware

Route.group('api',function () {
  Route.resources('user','api/UserController');
}).prefix('/api/v1').middleware('auth:basic');

Now any request that does not have basic auth headers will be denied by the middleware itself. And authenticator will take care of validating the credentials for you.

nigeltiany 17天前
4

谢谢, 但我还没到。请纵容我。
我要为我的 REST 接口的 API 认证, 为用户提供了有效的用户名和密码。
确认用户凭据后存在。我想给他们一个令牌, 他们应该发送回每一个请求, 使他们能够访问 rest API。
关于 AdonisJS, 我应该如何去做, 什么是更好的方法?

我已经有

  • 以登录表单进行响应的路由,
  • 应从登录中处理凭据的 post 路由
  • 一个名为 api 的路由组, 在 middleware('auth:api') 和组内部, 我的 rest 路由
原文:

Thanks, but i'm not there yet. Please indulge me.
I want API auth for my REST interface, for users that have provided a valid username and password.
After confirming a user credentials exist. I want to give them a token which they are supposed send back on every request enabling them to access the rest API.
How should i go about that with regard to AdonisJS and what's the better approach?

I already have

  • A route that responds with a form for login,
  • A post route that should handle the credentials from the login
  • A route group called api with middleware('auth:api') and inside the group, my rest routes
thetutlage 17天前
5

好的, 你应该呈现一个登录表单, 用户将进入他们的凭据, 如果他们的凭据是正确的, 您将返回一个响应的 API 令牌或 JWT 令牌, 然后他们可以利用该标记的未来请求。

为相同的https://github.com/adonisjs/adonis-rally/blob/develop/app/Http/Controllers/UsersController.js签出此示例控制器

登录页将不使用任何身份验证, 因为它需要公开访问。

原文:

Okay, you should render a login form where a user will enter their credentials and if their credentials are correct, you will return a response with the API token or JWT token, and then they can make use of that token for future requests.

Checkout this sample controller for same https://github.com/adonisjs/adonis-rally/blob/develop/app/Http/Controllers/UsersController.js

The login page will not use any authentication, since it needs to be publicly accessible.

nigeltiany 17天前
6

非常感谢您@thetutlage
为我清除雾。

原文:

Thank you very much @thetutlage
That clears the fog for me.

nigeltiany 17天前
7

还有一件事
如何最好地重定向到请求标头中已获取的令牌的路由?

原文:

One more thing.
how best to redirect to a route with the acquired token in the request header?

thetutlage 17天前
8

@nigeltiany response.redirect('location')可用于重定向请求。对特定问题开放问题的感觉

原文:

@nigeltiany response.redirect('location') can be used to redirect the request. Closing feel to open issues for specific issues

javy1103 17天前
9

是否可以吊销 jwt 标记。它们当前存储在哪里?

原文:

Is it possible to revoke jwt tokens. Where are they currently stored?

felipemouradev 17天前
10

我也有同样的疑问

原文:

I'm with this same doubt.

felipemouradev 17天前
11

哪里是他们存储的 jwt 令牌, 至于我已经知道的本地存储器, 我指的是数据库!

原文:

Where is a jwt tokens they stored, As for Local Storage I already know, I refer to the database!

javy1103 17天前
12

未存储 JWT 标记。阅读更多关于 JWT 的官方网页。使用标记有效负载的用户信息和到期日期创建 JWT 标记。然后, 将该令牌作为 cookie 或在有效负载上设置为前端, 并将其保存在 localStorage 上。如果要检查该标记所属的用户, 可以使用某些用户特定的数据对该令牌进行编码并对其进行解码, 您将获得该用户数据

原文:

JWT tokens are not stored. Read more about JWT in the official page. JWT tokens are created with user information on the token payload, and expiration date. You then set that token to the front end as a cookie OR on the payload and save it on localStorage. If you want to check to which user that token belongs to, you can encode the token with some user specific data and decode it and you will get that users data

返回
发表文章
nigeltiany
文章数
2
评论数
5
注册排名
93331