使用OAuth的REST API - 验证发送请求的用户是否拥有目标资源的最佳做法是什么？_course

<div class="post-text" itemprop="text"> <p>We have an API with endpoints for things like user profile information where we want to restrict access. </p> <p>Our application backend is built in PHP on the Slim framework so we're handling authorization in routing middleware:</p> <pre><code>class Authorization { public function authorizeAccess() { ... // check if oauth token corresponds to the correct id } } $authorizer = new Authorization(); $app-&gt;get('/user/:id/profile', [$authorizer, 'authorizeAccess'], function() use ($app) { ... }; </code></pre> <p>Is this a good way of doing this? </p> </div>

没有登录页面的Wordpress REST API身份验证_course

<div class="post-text" itemprop="text"> <p>I want to post to my wordpress blog with javascript using the REST api, I understand two step process to get authenticated 1. User sent to authorization page, user press authorize button get a code, 2. Use the code to get an access token .</p> <p>I need to skip step 1. How can i post to my blog without user interaction.</p> </div>

在REST API端验证CSRF令牌_course

<div class="post-text" itemprop="text"> <p>I have REST API written on PHP with authentication based on JWT. Workflow is simple: user sends username and password and gets JWT token back, with what they will be authenticated on all REST requests. Everything is pretty logic and cool, but now i have a problem with storing token client side, after some googling i found what only HTTP Only, Secure cookies are good for this, but they are vulnerable for CSRF attacks, so i am planning to user CSRF token to solve this problem. And here comes the question, how REST can validate CSRF token, if token issued by client? How REST backend understand what this random string is valid for this request and another random string is not? REST is stateless, he doesn't know what kind of token client have issued because REST and client are on separate backends, even on separate servers.</p> </div>

Paypal Rest API - 如何获取客户端ID和密码？_course

<div class="post-text" itemprop="text"> <p>I am considering using implementing Paypal Rest API using using <a href="https://github.com/thephpleague/omnipay-paypal" rel="nofollow noreferrer">Omnipay: PayPal</a> package - PayPal_Rest (Paypal Rest API).</p> <p>Where do I ask client to find client ID and Secret Key from their PayPal account so they can enter on our backend in order to use Paypal Method for their eCommerce site? </p> <p>I am even struggling to find one from my personal Paypal Account.</p> </div>

Rest Api的无状态身份验证_course

<div class="post-text" itemprop="text"> <p>searching for a good authentication method for my rest api i came a cross this : </p> <p><strong>"What is stateless authentication? Again, stateless means without state. But, how can we identify a user from a token without having any state on the server? Surprisingly, it’s very easy! just send all the data to the client. So what would you store/send (send to client/network)? The most trivial example is an access token. Access tokens usually have a unique ID, an expiration date and the ID of the client that created it. To store this, you would just put this data into a JSON object, and encode it using base64."</strong></p> <p>Now, having a self-contained token, you will need to make sure that nobody can manipulate the data. For this you should sign it using MAC algorithm or any other digital signature method available.</p> <p>This is a little confusing for me , how can i validate the access token when the request comes(nothing stored to match it), but i find it a good idea and i want to implement it, any advice will be very helpful.</p> <p>My rest api is very simple I receive every request to index.php , then i create new object with the request class to analyze every element of the request. </p> <p>request class looks like this :</p> <pre><code>&lt;?php class Request { public $url_elements; public $verb; public $parameters; public function __construct() { $this-&gt;verb = $_SERVER['REQUEST_METHOD']; $this-&gt;url_elements = explode('/', $_SERVER['PATH_INFO']); $this-&gt;parseIncomingParams(); $this-&gt;format = 'json'; if(isset($this-&gt;parameters['format'])) { $this-&gt;format = $this-&gt;parameters['format']; } return true; } public function parseIncomingParams() { $parameters = array(); if (isset($_SERVER['QUERY_STRING'])) { parse_str($_SERVER['QUERY_STRING'], $parameters); } $body = file_get_contents("php://input"); $content_type = false; if(isset($_SERVER['CONTENT_TYPE'])) { $content_type = $_SERVER['CONTENT_TYPE']; } switch($content_type) { case "application/json": $body_params = json_decode($body); if($body_params) { foreach($body_params as $param_name =&gt; $param_value) { $parameters[$param_name] = $param_value; } } $this-&gt;format = "json"; break; case "application/x-www-form-urlencoded": parse_str($body, $postvars); foreach($postvars as $field =&gt; $value) { $parameters[$field] = $value; } $this-&gt;format = "html"; break; default: break; } $this-&gt;parameters = $parameters; } } ?&gt; </code></pre> <p>After this i proceed with the proper controller that is the first element after index.php/</p> <p>Thank you very much for your time and sorry if the question is not very clear as i am new to rest :/ </p> </div>

codeigniter rest api身份验证不起作用_course

<div class="post-text" itemprop="text"> <p>I am using CI3 and chriskacerguis rest server library for api.</p> <p>I have config rest </p> <pre><code>... $config['rest_auth'] = 'digest'; ... $config['auth_source'] = ''; ... $config['rest_valid_logins'] = ['admin' =&gt; '1234', 'user' =&gt; 'test']; </code></pre> <p>When I try to get data using browser I get authentication popup even when I enter correct login detail its keep on pop, I think it is not getting validated.</p> <p>What is correct way to make it authenticate that use rest_valid_logins detail.</p> </div>

在CakePHP REST API中输入数据验证_course

<div class="post-text" itemprop="text"> <p>I am developing a REST API using CakePHP. The problem is regarding the validation of data that is sent as input parameters to my API. In the <a href="http://book.cakephp.org/2.0/en/index.html" rel="nofollow">CakePHP documentation</a> they have mentioned <a href="http://book.cakephp.org/2.0/en/models/data-validation.html" rel="nofollow">this</a>. But how do I implement it for a REST API? </p> <p>I want that if I add a validation something like this in <code>app/Model/Table.php</code>:</p> <pre><code>public $validate = array( 'email' =&gt; 'email' ); </code></pre> <p>Then when I user makes the request <code>myapi.com/resource?email=abc123</code> I want the API to respond like</p> <p><code>status: 400</code></p> <pre><code>{ "message": "Invalid Parameter", "url": "/resource" } </code></pre> </div>

PHP中的REST身份验证（CodeIgniter）_course

<div class="post-text" itemprop="text"> <p>I writing REST API form my web application. Application is written using CodeIgniter framework. Application itself is working fine, but I'm stuck on making REST Authentication. I think that basic Http Authentication will be good enough for some time. Public API is not yet planned.</p> <p>Is there any code example how to achieve REST Authentication so after user is authenticated he can freely call all protected methods.</p> </div>

WP REST API登录_course

<div class="post-text" itemprop="text"> <p>Our Company makes use of multiple websites that are running on different platforms and databases (Mostly WordPress). I am trying to build integration between these websites.</p> <p>If a user logs in to their account on one of our websites an automated login needs to occur on our other websites.</p> <p>To accomplish this I am trying to make use of the WordPress API:</p> <pre><code>add_action('rest_api_init', function(){ register_rest_route( 'odp-api/v1', '/universal-login', array( 'methods' =&gt; 'POST', 'callback' =&gt; 'universal_login' ) ); }); function universal_login(WP_REST_Request $request){ $feedback = array(); $posted = $request-&gt;get_body_params(); if(isset($posted['user_login']) &amp;&amp; isset($posted['user_password'])){ $posted['remember'] = (isset($posted['remember']) ? $posted['remember']: 0); $user = wp_signon($posted, is_ssl()); if(!is_wp_error($user)){ $feedback['success'] = 'Success'; } else{ $feedback['error'] = $user-&gt;get_error_message(); } } else{ $feedback['error'] = 'Invalid account credentials.'; } return $feedback; } </code></pre> <p>The above action and function registers a custom API route, which I call in the following way:</p> <pre><code>$response = wp_safe_remote_post( ODP_UNIVERSAL_URL . 'wp-json/odp-api/v1/universal-login', array( 'method' =&gt; 'POST', 'body' =&gt; array( 'user_login' =&gt; $user_login, 'user_password' =&gt; $user_password, 'remember' =&gt; (isset($_POST['rememberme']) &amp;&amp; $_POST['rememberme'] === 'forever' ? 1 : 0) ) ) ); </code></pre> <p>I get the $feedback success message and can access the <em>just logged in user data</em>, but when visiting the website it's clear that I/the user has in fact not been logged in.</p> <p>From what I've found online it seems to be related to either the COOKIE_DOMAIN definition, or something with NONCE verification.</p> <p>Why is the user being fetched successfully, remotely, but not logged in?</p> <p>Is there a simpler way to log a user in remotely with WordPress?</p> <p>The idea is to be able to log in from one WordPress installation, and automatically be logged in to another WordPress installation on a different domain. <strong>All our websites are running over SSL encryption.</strong></p> </div>

使用php-github-api进行Github身份验证_course

<div class="post-text" itemprop="text"> <p>I am trying to implement Github authentication in my application (built using Laravel 4) using <a href="https://github.com/KnpLabs/php-github-api/blob/master/doc/security.md" rel="nofollow">php-github-api</a> by KnpLabs. I went ahead and created an app in my Github account to obtain the client_id and the secret key. </p> <p>The problem is, I cannot authenticate using this library. A null result is returned. It implementation seems simple but I cannot get it work. Checkout how I am implementing it.</p> <pre><code>try{ $client = new Github\Client(); $auth= $client-&gt;authenticate('myclientid','mysecret',AUTH_URL_CLIENT_ID); $emails = $client-&gt;api('current_user')-&gt;emails()-&gt;all(); return Response::json(array("user"=&gt;$emails)); }catch(Exception $e){ return Response::json(array('failed',$e-&gt;getMessage())); } </code></pre> <p>This is the result I get from the above:</p> <pre><code> ["failed","Requires authentication"] </code></pre> <p>Please someone help me figure out what I am doing wrong.</p> <p>Thank you.</p> </div>

使用REST API进行Docusign实时帐户身份验证无效_course

<div class="post-text" itemprop="text"> <p>I am new on Docusign. I have developed a application using REST API on PHP language. In demo account everything is working fine. But in live account does not working. Error is calling webservice and status is 0. I tried many way but can't solve. Please help me. My code for authentication is given below.</p> <pre><code>$integratorKey = 'xxxxxx'; $email = 'xxxx'; $password = 'xxxx'; // construct the authentication header: $header = "&lt;DocuSignCredentials&gt;&lt;Username&gt;" . $email . "&lt;/Username&gt;&lt;Password&gt;" . $password . "&lt;/Password&gt;&lt;IntegratorKey&gt;" . $integratorKey . "&lt;/IntegratorKey&gt;&lt;/DocuSignCredentials&gt;"; $url = "https://www.docusign.net/restapi/v2/login_information"; $curl = curl_init($url); curl_setopt($curl, CURLOPT_HEADER, false); curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl, CURLOPT_HTTPHEADER, array("X-DocuSign-Authentication: $header")); $json_response = curl_exec($curl); $status = curl_getinfo($curl, CURLINFO_HTTP_CODE); //echo $status; if ( $status != 200 ) { echo "error calling webservice, status is:" . $status; exit(-1); } $response = json_decode($json_response, true); $accountId = $response["loginAccounts"][0]["accountId"]; $baseUrl = $response["loginAccounts"][0]["baseUrl"]; curl_close($curl); </code></pre> </div>

cakephp rest api和身份验证_course

<div class="post-text" itemprop="text"> <p>i am developing with cakephp 2.4.7 and i am very confused and i don't know what's the best way to implement what i need.</p> <p>My cake project is similar to a social network and i already have programmed a big part of the web part. Now i want to start developing the API for the native mobile apps (iOS, Android, etc).</p> <p>In my project i am using the standard <code>form</code> <code>authentication</code> for the normal webbrowser way.</p> <p>How can i use both, <code>basic</code> and <code>form</code> <code>authentication</code>? Form authentication for webbrowser use and basic authentication for the native mobiel apps.</p> <p>My AppController looks like:</p> <pre><code>public $components = array( '...', 'Auth' =&gt; array( 'loginRedirect' =&gt; array( 'controller' =&gt; 'users', 'action' =&gt; 'index' ), 'logoutRedirect' =&gt; array( 'controller' =&gt; 'users', 'action' =&gt; 'login' ), 'authError' =&gt; 'You must be loggedin to view this page.', 'loginError' =&gt; 'Invalid user credentials.', 'authorize' =&gt; array('Controller'), 'authenticate' =&gt; array( 'Form' =&gt; array( 'userModel' =&gt; 'User', ) ), 'authorize' =&gt; array( 'Actions' =&gt; array('actionPath' =&gt; 'controllers') ) ) ); </code></pre> <p>I know this part of the documentation:</p> <blockquote> <p>Using multiple handlers allows you to support different ways of logging users in. When logging users in, authentication handlers are checked in the order they are declare</p> </blockquote> <p>But what about the <code>login</code> action?</p> <p>Is there a better solution? For example authenticate with tokens.</p> <p>And i searched a lot about <code>API versioning</code> and <code>prefix routing</code>. The only thing i found is that cake 2.x don't support prefix routing for rest.</p> <p>My goal is to have the following structure:</p> <ul> <li><code>/users/view/2</code> for webbrowser</li> <li><code>/api/1.0/users/view/2.json</code> for the mobile apps.</li> </ul> <p><strong>In UsersController:</strong></p> <pre><code>public function view($id = null) { // Webbrowser } public function api_1_0_view($id = null) { // mobile app version 1.0 } public function api_2_0_view($id = null) { // mobile app version 2.0 } </code></pre> <p>Can you give me a idea how i can solve the problems?</p> </div>

WP REST API不需要在POST上进行身份验证_course

<div class="post-text" itemprop="text"> <p>I created a custom route to edit a single user meta value. Here is the code:</p> <pre><code>add_action( 'rest_api_init', function () { register_rest_route( 'custom', '/activating/(?P&lt;id&gt;\d+)', array( 'methods' =&gt; 'POST', 'callback' =&gt; __NAMESPACE__ . '\\activate_user', 'args' =&gt; array( 'id' =&gt; array( 'validate_callback' =&gt; function($param, $request, $key) { return is_numeric( $param ); } ), ), )); }); function activate_user($data){ $user_id = $data['id']; update_user_meta( $user_id, "user_active", 1, 0 ); return array( 'message' =&gt; 'OK' ); } </code></pre> <p>Testing it on Postman, WP not required authentication. This is normal? What I need to do to allow POST request only with authentication?</p> </div>

Swift iOS应用程序到REST PHP API - 身份验证的最佳实践是什么？_course

<div class="post-text" itemprop="text"> <p>I'm in the process of building a iOS mobile application in Swift. I have a RESTFUL API written in PHP which communicates between the mobile application and a database. Everything is working perfectly.</p> <p>The problem I've got is, I don't know what the best practice is for authentication. I eventually want users to sign up for an account on my application, but I'd like to have the user enter login credentials as little as possible, so some kind of authentication/authorisation key would be preferred.</p> <p>I see so many different recommendations when I've looked for an answer, yet can't seem to find a tutorial or set of tutorials that cover what I need.</p> <p>Can you guys link me some sources on how I'd go about achieving the above?</p> </div>

是否可以使用REST API通过身份验证从magento获取数据？_course

<div class="post-text" itemprop="text"> <p>Currently I am getting required data from Magento using REST API, but I have to get these data with out asking login and authorization. How can I do this?</p> <p>For more details follow <a href="https://magento.stackexchange.com/questions/78168/how-to-get-customers-data-from-magento-using-rest-api-without-authentication-is">the link</a>.</p> </div>

Magento 2.0 REST API Oauth错误_course

<div class="post-text" itemprop="text"> <p>The below php script is our rest api to retrieve customer info as admin -The script is getting the admin login and authorize page correctly but after the authorize it is giving the error</p> <blockquote> <p>OAuthException Object ( [message:protected] =&gt; Invalid auth/bad request (got a 403, expected HTTP/1.1 20X or a redirect) [string:Exception:private] =&gt; [code:protected] =&gt; 403 [file:protected] =&gt; /home/xxxx/public_html/oauth_admin.php [line:protected] =&gt; 39 [trace:Exception:private] =&gt; Array ( [0] =&gt; Array ( [file] =&gt; /home/xxxxx/public_html/oauth_admin.php [line] =&gt; 39 [function] =&gt; fetch [class] =&gt; OAuth [type] =&gt; -&gt; [args] =&gt; Array ( [0] =&gt; <a href="http://www.xxxxx.com/api/rest/customers" rel="nofollow">http://www.xxxxx.com/api/rest/customers</a> [1] =&gt; Array ( ) [2] =&gt; GET [3] =&gt; Array ( [Content-Type] =&gt; application/xml [Accept] =&gt; / ) ) ) ) [previous:Exception:private] =&gt; [lastResponse] =&gt; {"messages":{"error":[{"code":403,"message":"Access denied"}]}} [debugInfo] =&gt; Array ( [sbs] =&gt; xxxxx [body_recv] =&gt; {"messages":{"error":[{"code":403,"message":"Access denied"}]}} ) ))</p> </blockquote> <p>I have tried every blog/post to try get this working and at this stage no doubt its something very obvious but I cant spot it...help greatly appreciated!</p> <pre><code>&lt;?php $callbackUrl = "http://www.site2.com/oauth_admin.php"; $temporaryCredentialsRequestUrl = "http://www.site1.com/oauth/initiate?oauth_callback=" . urlencode($callbackUrl); $adminAuthorizationUrl = 'https://www.site1.com/admin/oauth_authorize'; $accessTokenRequestUrl = 'http://www.site1.com/oauth/token'; $apiUrl = 'http://www.site1.com/api/rest'; $consumerKey = 'xxxxx'; $consumerSecret = 'xxxxx'; session_start(); if (!isset($_GET['oauth_token']) &amp;&amp; isset($_SESSION['state']) &amp;&amp; $_SESSION['state'] == 1) { $_SESSION['state'] = 0; } try { $authType = ($_SESSION['state'] == 2) ? OAUTH_AUTH_TYPE_AUTHORIZATION : OAUTH_AUTH_TYPE_URI; $oauthClient = new OAuth($consumerKey, $consumerSecret, OAUTH_SIG_METHOD_HMACSHA1, $authType); $oauthClient-&gt;enableDebug(); if (!isset($_GET['oauth_token']) &amp;&amp; !$_SESSION['state']) { $requestToken = $oauthClient-&gt;getRequestToken($temporaryCredentialsRequestUrl); $_SESSION['secret'] = $requestToken['oauth_token_secret']; $_SESSION['state'] = 1; header('Location: ' . $adminAuthorizationUrl . '?oauth_token=' . $requestToken['oauth_token']); exit; } else if ($_SESSION['state'] == 1) { $oauthClient-&gt;setToken($_GET['oauth_token'], $_SESSION['secret']); $accessToken = $oauthClient-&gt;getAccessToken($accessTokenRequestUrl); $_SESSION['state'] = 2; $_SESSION['token'] = $accessToken['oauth_token']; $_SESSION['secret'] = $accessToken['oauth_token_secret']; header('Location: ' . $callbackUrl); exit; } else { $oauthClient-&gt;setToken($_SESSION['token'], $_SESSION['secret']); $resourceUrl = "$apiUrl/customers"; //$oauthClient-&gt;fetch($resourceUrl); $oauthClient-&gt;fetch($resourceUrl, array(), 'GET', array('Content-Type' =&gt; 'application/xml', 'Accept' =&gt; '*/*')); $customers = json_decode($oauthClient-&gt;getLastResponse()); print_r($customers); } } catch (OAuthException $e) { print_r($e); } </code></pre> </div>

REST API后期字段验证Laravel 5.1_course

<div class="post-text" itemprop="text"> <p>I need to check if I have all posted variables are required or else throw error. Till Now I am doing like this</p> <p>Routes.php</p> <pre><code>Route::post('/api/ws_fetchuser', 'UserController@fetch_user_details'); </code></pre> <p>UserController.php</p> <pre><code>&lt;?php namespace App\Http\Controllers; use App\Http\Requests; use Illuminate\Http\Request; use App\User; class UserController extends Controller { public function fetch_user_details(Request $request) { if(!empty($request) &amp;&amp; $request-&gt;id!='') { print_r($request-&gt;id); } else { return response(array( 'error' =&gt; false, 'message' =&gt;'please enter all form fields', ),200); } } } </code></pre> <p>I am checking like this <code>$request-&gt;id!=''</code>, is there any validation rules or methods which I can use to check id is required field.</p> <p>I have added this validation in my controller as well but what if id is not present how can I show the error?</p> <p>Updated Validation Code:</p> <pre><code>public function fetch_user_details(Request $request) { $this-&gt;validate($request, [ 'id' =&gt; 'required' ]); print_r($request-&gt;id); } </code></pre> </div>

JWT REST api身份验证：登录失败。 电子邮件或密码不正确_course

<div class="post-text" itemprop="text"> <p>I'm trying to do <a href="https://www.codeofaninja.com/2018/09/rest-api-authentication-example-php-jwt-tutorial.html" rel="nofollow noreferrer">this</a> basic api with jwt token based authentication tutorial. I've added all the code and I can add new users but cannot login. It always says 'Login failed. Email or password is incorrect.'. Could you please help me fix this? Thank you very much </p> <p>You can view the whole project from <a href="https://github.com/damithnh/rest-api-authentication-example" rel="nofollow noreferrer">here</a></p> <p>user.php</p> <pre><code>&lt;?php // 'user' object class User{ // database connection and table name private $conn; private $table_name = "users"; // object properties public $id; public $firstname; public $lastname; public $email; public $password; // constructor public function __construct($db){ $this-&gt;conn = $db; } // create new user record function create(){ // insert query $query = "INSERT INTO " . $this-&gt;table_name . " SET firstname = :firstname, lastname = :lastname, email = :email, password = :password"; // prepare the query $stmt = $this-&gt;conn-&gt;prepare($query); // sanitize $this-&gt;firstname=htmlspecialchars(strip_tags($this-&gt;firstname)); $this-&gt;lastname=htmlspecialchars(strip_tags($this-&gt;lastname)); $this-&gt;email=htmlspecialchars(strip_tags($this-&gt;email)); //$this-&gt;password=htmlspecialchars(strip_tags($this-&gt;password)); // bind the values $stmt-&gt;bindParam(':firstname', $this-&gt;firstname); $stmt-&gt;bindParam(':lastname', $this-&gt;lastname); $stmt-&gt;bindParam(':email', $this-&gt;email); // hash the password before saving to database $password_hash = password_hash($this-&gt;password, PASSWORD_BCRYPT); $stmt-&gt;bindParam(':password', $password_hash); // execute the query, also check if query was successful if($stmt-&gt;execute()){ return true; } return false; } // check if given email exist in the database function emailExists(){ // query to check if email exists $query = "SELECT id, firstname, lastname, password FROM " . $this-&gt;table_name . " WHERE email = ? LIMIT 0,1"; // prepare the query $stmt = $this-&gt;conn-&gt;prepare( $query ); // sanitize $this-&gt;email=htmlspecialchars(strip_tags($this-&gt;email)); // bind given email value $stmt-&gt;bindParam(1, $this-&gt;email); // execute the query $stmt-&gt;execute(); // get number of rows $num = $stmt-&gt;rowCount(); // if email exists, assign values to object properties for easy access and use for php sessions if($num&gt;0){ // get record details / values $row = $stmt-&gt;fetch(PDO::FETCH_ASSOC); // assign values to object properties $this-&gt;id = $row['id']; $this-&gt;firstname = $row['firstname']; $this-&gt;lastname = $row['lastname']; $this-&gt;password = $row['password']; // return true because email exists in the database return true; } // return false if email does not exist in the database return false; } // update a user record public function update(){ // if password needs to be updated $password_set=!empty($this-&gt;password) ? ", password = :password" : ""; // if no posted password, do not update the password $query = "UPDATE " . $this-&gt;table_name . " SET firstname = :firstname, lastname = :lastname, email = :email {$password_set} WHERE id = :id"; // prepare the query $stmt = $this-&gt;conn-&gt;prepare($query); // sanitize $this-&gt;firstname=htmlspecialchars(strip_tags($this-&gt;firstname)); $this-&gt;lastname=htmlspecialchars(strip_tags($this-&gt;lastname)); $this-&gt;email=htmlspecialchars(strip_tags($this-&gt;email)); // bind the values from the form $stmt-&gt;bindParam(':firstname', $this-&gt;firstname); $stmt-&gt;bindParam(':lastname', $this-&gt;lastname); $stmt-&gt;bindParam(':email', $this-&gt;email); // hash the password before saving to database if(!empty($this-&gt;password)){ $this-&gt;password=htmlspecialchars(strip_tags($this-&gt;password)); $password_hash = password_hash($this-&gt;password, PASSWORD_BCRYPT); $stmt-&gt;bindParam(':password', $password_hash); } // unique ID of record to be edited $stmt-&gt;bindParam(':id', $this-&gt;id); // execute the query if($stmt-&gt;execute()){ return true; } return false; } } </code></pre> <p>create_user.php</p> <pre><code>&lt;?php // required headers header("Access-Control-Allow-Origin: http://localhost/rest-api-authentication-example/"); header("Content-Type: application/json; charset=UTF-8"); header("Access-Control-Allow-Methods: POST"); header("Access-Control-Max-Age: 3600"); header("Access-Control-Allow-Headers: Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With"); // files needed to connect to database include_once 'config/database.php'; include_once 'objects/user.php'; // get database connection $database = new Database(); $db = $database-&gt;getConnection(); // instantiate product object $user = new User($db); // get posted data $data = json_decode(file_get_contents("php://input")); // set product property values $user-&gt;firstname = $data-&gt;firstname; $user-&gt;lastname = $data-&gt;lastname; $user-&gt;email = $data-&gt;email; $user-&gt;password = $data-&gt;password; // create the user if($user-&gt;create()){ // set response code http_response_code(200); // display message: user was created echo json_encode(array("message" =&gt; "User was created.")); } // message if unable to create user else{ // set response code http_response_code(400); // display message: unable to create user echo json_encode(array("message" =&gt; "Unable to create user.")); } ?&gt; </code></pre> <p>login.php</p> <pre><code>&lt;?php // required headers header("Access-Control-Allow-Origin: http://localhost/rest-api-authentication-example/"); header("Content-Type: application/json; charset=UTF-8"); header("Access-Control-Allow-Methods: POST"); header("Access-Control-Max-Age: 3600"); header("Access-Control-Allow-Headers: Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With"); // files needed to connect to database include_once 'config/database.php'; include_once 'objects/user.php'; // get database connection $database = new Database(); $db = $database-&gt;getConnection(); // instantiate user object $user = new User($db); // get posted data $data = json_decode(file_get_contents("php://input")); // set product property values $user-&gt;email = $data-&gt;email; $email_exists = $user-&gt;emailExists(); // generate json web token include_once 'config/core.php'; include_once 'libs/php-jwt-master/src/BeforeValidException.php'; include_once 'libs/php-jwt-master/src/ExpiredException.php'; include_once 'libs/php-jwt-master/src/SignatureInvalidException.php'; include_once 'libs/php-jwt-master/src/JWT.php'; use \Firebase\JWT\JWT; // check if email exists and if password is correct if($email_exists &amp;&amp; password_verify($data-&gt;password, $user-&gt;password)){ $token = array( "iss" =&gt; $iss, "aud" =&gt; $aud, "iat" =&gt; $iat, "nbf" =&gt; $nbf, "data" =&gt; array( "id" =&gt; $user-&gt;id, "firstname" =&gt; $user-&gt;firstname, "lastname" =&gt; $user-&gt;lastname, "email" =&gt; $user-&gt;email ) ); // set response code http_response_code(200); // generate jwt $jwt = JWT::encode($token, $key); echo json_encode( array( "message" =&gt; "Successful login.", "jwt" =&gt; $jwt ) ); } // login failed else{ // set response code http_response_code(401); // tell the user login failed echo json_encode(array("message" =&gt; "Login failed.")); } ?&gt; </code></pre> <p>update_user.php</p> <pre><code>&lt;?php // required headers header("Access-Control-Allow-Origin: *"); header("Content-Type: application/json; charset=UTF-8"); header("Access-Control-Allow-Methods: POST"); header("Access-Control-Max-Age: 3600"); header("Access-Control-Allow-Headers: Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With"); // required to encode json web token include_once 'config/core.php'; include_once 'libs/php-jwt-master/src/BeforeValidException.php'; include_once 'libs/php-jwt-master/src/ExpiredException.php'; include_once 'libs/php-jwt-master/src/SignatureInvalidException.php'; include_once 'libs/php-jwt-master/src/JWT.php'; use \Firebase\JWT\JWT; // files needed to connect to database include_once 'config/database.php'; include_once 'objects/user.php'; // get database connection $database = new Database(); $db = $database-&gt;getConnection(); // instantiate user object $user = new User($db); // get posted data $data = json_decode(file_get_contents("php://input")); // get jwt $jwt=isset($data-&gt;jwt) ? $data-&gt;jwt : ""; // if jwt is not empty if($jwt){ // if decode succeed, show user details try { // decode jwt $decoded = JWT::decode($jwt, $key, array('HS256')); // set user property values $user-&gt;firstname = $data-&gt;firstname; $user-&gt;lastname = $data-&gt;lastname; $user-&gt;email = $data-&gt;email; $user-&gt;password = $data-&gt;password; $user-&gt;id = $decoded-&gt;data-&gt;id; // create the product if($user-&gt;update()){ // we need to re-generate jwt because user details might be different $token = array( "iss" =&gt; $iss, "aud" =&gt; $aud, "iat" =&gt; $iat, "nbf" =&gt; $nbf, "data" =&gt; array( "id" =&gt; $user-&gt;id, "firstname" =&gt; $user-&gt;firstname, "lastname" =&gt; $user-&gt;lastname, "email" =&gt; $user-&gt;email ) ); $jwt = JWT::encode($token, $key); // set response code http_response_code(200); // response in json format echo json_encode( array( "message" =&gt; "User was updated.", "jwt" =&gt; $jwt ) ); } // message if unable to update user else{ // set response code http_response_code(401); // show error message echo json_encode(array("message" =&gt; "Unable to update user.")); } } // if decode fails, it means jwt is invalid catch (Exception $e){ // set response code http_response_code(401); // show error message echo json_encode(array( "message" =&gt; "Access denied.", "error" =&gt; $e-&gt;getMessage() )); } } // show error message if jwt is empty else{ // set response code http_response_code(401); // tell the user access denied echo json_encode(array("message" =&gt; "Access denied.")); } ?&gt; </code></pre> <p>validate_token.php</p> <pre><code>&lt;?php // required headers header("Access-Control-Allow-Origin: http://localhost/rest-api-authentication-example/"); header("Content-Type: application/json; charset=UTF-8"); header("Access-Control-Allow-Methods: POST"); header("Access-Control-Max-Age: 3600"); header("Access-Control-Allow-Headers: Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With"); // required to decode jwt include_once 'config/core.php'; include_once 'libs/php-jwt-master/src/BeforeValidException.php'; include_once 'libs/php-jwt-master/src/ExpiredException.php'; include_once 'libs/php-jwt-master/src/SignatureInvalidException.php'; include_once 'libs/php-jwt-master/src/JWT.php'; use \Firebase\JWT\JWT; // get posted data $data = json_decode(file_get_contents("php://input")); // get jwt $jwt=isset($data-&gt;jwt) ? $data-&gt;jwt : ""; // if jwt is not empty if($jwt){ // if decode succeed, show user details try { // decode jwt $decoded = JWT::decode($jwt, $key, array('HS256')); // set response code http_response_code(200); // show user details echo json_encode(array( "message" =&gt; "Access granted.", "data" =&gt; $decoded-&gt;data )); } // if decode fails, it means jwt is invalid catch (Exception $e){ // set response code http_response_code(401); // tell the user access denied &amp; show error message echo json_encode(array( "message" =&gt; "Access denied.", "error" =&gt; $e-&gt;getMessage() )); } } // show error message if jwt is empty else{ // set response code http_response_code(401); // tell the user access denied echo json_encode(array("message" =&gt; "Access denied.")); } ?&gt; </code></pre> </div>

内部rest API中的oAuth用户身份验证_course

<div class="post-text" itemprop="text"> <p>I am building a REST API service that will not be public and only used by the client to access the resources on the server. There is no authorization of different consumers as the only consumer is the server. </p> <p>I understand that 3 legged oAuth is the standard used by public API's like facebooks and I think I'm correct in assuming I am after 2 legged authentication but I cannot find a useful website describing it. </p> <p>I need to use oAuth to access resources and/or change them. Obviously this should be protected. But I am unsure as to how about doing this within PHP. So if a user requests something like <a href="https://example.com/me/follow/123" rel="nofollow">https://example.com/me/follow/123</a> by a post request the user 123 would only be followed if the user is logged. </p> <p>I would also like public resources to only be accessed by a recognized client only. So if you access <a href="https://example.com/user/123" rel="nofollow">https://example.com/user/123</a> a 401 is given but if you access <a href="https://example.com/user/123?client_id=890" rel="nofollow">https://example.com/user/123?client_id=890</a> a result is given. This will not stop users who are not logged in getting public resources but will stop users who are not using a recognised client. More than a anythinging this is a way for me to track what clients are using the API in the future. </p> <p><strong>1) </strong>How do you go about logins and give the users a token that is sent with every API request?</p> <p><strong>2) </strong>How do I protect the API from being used by unrecognized clients?</p> <p>I am sorry if any of my terminology or ideas are incorrect. My understanding of REST and oAuth is still very much developing. </p> </div>