我需要一个 API。我应该从哪里开始?
我正在从头开始构建 PHP 应用程序(使用 Kohana3 框架)。我将对其进行架构设计,以便可以使用 API 在内部访问数据。同时,我想最终将其提供给公众。
我计划使用 RESTful 访问方法。但是,我很难找到有关如何正确保护 API 的明确信息。也就是说,如何实现API签名和访问呢?
I'm building a PHP application from scratch (using Kohana3 framework). I'm going to architect it so that I can use an API to access the data internally. At the same time, I want to eventually offer it to the public.
I plan on using the RESTful access method. However, I'm having a hard time finding clear information on how to properly secure the API. In other words, how do I implement API signatures and access?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
您可以尝试 frapi。它将快速允许您构建 RESTful API,然后您可以将其用于您的应用程序,并在稍后公开公开相同的 API。
You could try frapi. It will quickly allow you to build your RESTful API, which you can then use for your application, and at a later date expose the same API publicly.
OAuth 将是一个不错的选择。单个键/值对也是如此。您可能还想查看 Mashape 但不完全确定它适合您想要做的事情。
OAuth would be a good choice. So would a single key/value pair. You might also want to look at Mashape but not entirely sure it fits what you are trying to do.
我认为一个好的起点是阅读有关数字签名的一般信息。维基百科是一个很棒的资源 http://en.wikipedia.org/wiki/Public_Key_Infrastruct 或 http://en.wikipedia.org/wiki/X.509。
在基本层面上,我会给每个客户一个私钥。在客户端库中,我将加密密钥。当客户端发出请求时,请验证密钥是否是您颁发给该特定客户端的密钥。
I think a good place to start would be reading over general information about digital signing. Wikipedia is a great resource http://en.wikipedia.org/wiki/Public_Key_Infrastructure or http://en.wikipedia.org/wiki/X.509.
On a basic level I would give each client a private Key. In the client library I would encrypt the key. When a client makes a request verify that the key is the one that you issued to that particular client.
看一下 3scale (http://www.3scale.net/) 来执行此操作 - 它处理身份验证、访问控制、策略、速率限制等,并且对于大量流量免费。我们有一个 PHP 模块可以插入到系统中以启用这些功能。 (免责声明 - 我在那里工作 - 但希望它有用!)
Take a look at 3scale (http://www.3scale.net/) to do this - it handles authentication, access control, policies, rate limits etc. and is free for significant traffic. We have a PHP module to plugin to the system to enable these features. (Disclaimer - I work there - but hope it's useful!)
你的问题比这个大一点;但我可以提供一个关于 REST 的小观察。
我在 REST 中发现,底层数据模型最好使用人工键,而不是自然键。
例如,考虑 RESTfull url:
https://server/yourApp/viewUser/1234.html这将显示 ID 为 1234 的用户。但是,如果您使用自然键,您可能会拥有类似以下的 URL这个 https://server/yourApp/viewUser/Bob.html 或更糟的是,如果不是 Bob,而是“Bob X”或“Bob?key=Value”。您不想必须考虑生成无效的 URL。Your question is a bit bigger than this; but I can offer one small observation about REST.
I have found with REST, that is that it is best to use artificial keys for the underlying data model, rather than natural keys.
For example, consider the RESTfull url:
https://server/yourApp/viewUser/1234.htmlthis would show the user with id 1234. However if you used natural keys you might have a URL something like thishttps://server/yourApp/viewUser/Bob.htmlor worse if instead of Bob its "Bob X" or "Bob?key=Value". You don't want to have to think about generating invalid URLs.我使用 CodeIgniter 和基本身份验证制作了 PHP REST API(提供“公司 ID”和“API 密钥”作为用户名/密码)。后来我们发现有必要提供与 API Key 直接相关的会话密钥,仅具有过期时间。
基本上,我们根据 URL 中提供的“方法”查询数据存储中不同类型的数据(nosql 品种:)。我们通过使用 CodeIgniter 提供的“段”功能来访问它。
然后我们用返回的“json_encode”包装每个响应,并且我们还使用 HTTPS 连接来确保安全。
对于客户端类,我们将所有内容包装在 $client->get_my_data($api_key) 等调用中,并在下面使用 PHP Libcurl 一层,它可以很好地提供基本身份验证。
希望这有帮助,
CURL_GET
I have made a PHP REST API using CodeIgniter with Basic Authentication, (providing "company id" and "API Key" as username/password). Later we found that it was necessary to provision session keys that were directly related to an API Key, only with an expiration time.
Basically, we queried different types of data in our datastore (nosql variety :) depending on what the "method" was provided in the URL. We accessed this by using the "segment" ability provided by CodeIgniter.
Then we wrapped each response with a "json_encode" that was returned and we also used an HTTPS connection for security.
For the client class we wrapped everything in calls such $client->get_my_data($api_key), with a layer underneath using PHP Libcurl, which works really well to provide the Basic Auth.
Hope this helps,
CURL_GET