在这种情况下,您在REST API中不使用会话是什么选择
我正在为我的API控制器使用此方法:
public function register(Request $request)
{
// Validation Data
$validData = $this->validate($request, [
'user_input' => 'required|regex:/^09\d{9}$/|max:11|min:11',
'user_full_name' => 'nullable|max:20|min:3',
]);
Session::put('user_full_name', $request->user_full_name);
$sms = new SendSms(request()->all()['user_input'],43,request()->all());
$sms->send();
return response([
'data' => 'verification code is sent',
'status' => 200
]);
}
您可以看到,我已经在包含用户名的方法中设置了一个会话:
Session::put('user_full_name', $request->user_full_name);
但是这是错误的,因为我不使用REST API的好处,而REST不应随附会议。
而且,我确实需要知道输入的用户名并在下一步获取该数据,这就是为什么我使用会议的原因。
因此,问题是做这件事的替代方法是什么合适的& REST API的标准?
I'm using this method for my API controller:
public function register(Request $request)
{
// Validation Data
$validData = $this->validate($request, [
'user_input' => 'required|regex:/^09\d{9}$/|max:11|min:11',
'user_full_name' => 'nullable|max:20|min:3',
]);
Session::put('user_full_name', $request->user_full_name);
$sms = new SendSms(request()->all()['user_input'],43,request()->all());
$sms->send();
return response([
'data' => 'verification code is sent',
'status' => 200
]);
}
As you can see I have set a session in the method that contains user name:
Session::put('user_full_name', $request->user_full_name);
But this is wrong because I'm not using the benefits of REST API and REST shouldn't come with sessions.
And also I DO need to know the entered user name and get that data for the next steps and that is why I used sessions.
So the question is what is the alternative way of doing this that is suitable & standard in REST API?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
而不是服务器端会话,我们将会话数据与每个请求一起发送。这使得通信无状态和可扩展。根据技术,最简单的是在授权标题。更复杂的是,在使用用户名和密码进行第一次成功身份验证之后,服务器设置了一个不同的值,例如用户ID并使用其私钥签名。在下一个请求中,客户端可以将用户ID与签名一起发送回签名,并且服务器可以使用公共密钥检查是否由私钥签名。您甚至可以将签名提供服务与签名支票服务分开。因此,例如,您可以执行
auth.example.com和api.example.com和api.example.com仅接受auth.example.com签名的内容,但没有用户名和密码。一个额外的图层正在加密用户ID和签名,因此很难复制它们并添加到期时间,因此很难重播请求。签署每个请求是最安全的,但最昂贵的方法是这样做的。和OFC。您需要SSL。在您的大量情况下,没有用户ID,因为它是注册。在这种情况下,只需将整个填充表格存储在客户端即可。如果它没有JavaScript或某些服务器旁语言,则可能在cookie内部,并将其与验证代码一起发送回服务器。
这样做的另一种方法是使用非常长的随机ID创建服务器上资源的临时交易类型,并且客户端可以知道资源的ID,并将交易ID与验证代码一起发送回交易ID。该解决方案需要服务器资源,因此它与会话管理有些相似,但是如果您难以将会话完全保留在客户端,并且当您最终需要一致性,多标签表单,多步骤过程等时,这是一个很好的妥协。高层情况我宁愿使用第一种方法他们需要单击链接到达智能手机的SMS。
Instead of server side sessions we send the session data along with every request. This makes the communication stateless and scalable. As of the techniques, the simplest is sending username and password with every request in an Authorization header. Somewhat more complicated that after the first successful authentication with the username and password, the server sets a different value with for example the user id and signs it with its private key. In the next request the client can send back the user id along with the signature and the server can check with the public key whether it is signed by the private key. You can even separate the signature giving service from the signature checking service. So for example you can do something like
auth.example.comandapi.example.comand theapi.example.comaccepts only the signed stuff, but not the username and password. An additional layer is encrypting both the user id and the signature, so it will be harder to copy them and adding an expiration time, so it will be harder to replay the request. Signing each request is the safest, but the most expensive way of doing this. And ofc. you need SSL.In your upper case there is no user id, because it is registration. In that case just store the entire half filled form in the client. If it doesn't have javascript or some server side language, then maybe inside a cookie and send it back to the server along with the verification code.
Another way of doing this is creating a temporary transaction type of resource on the server with a very long random id and the client can know the id of the resource and it sends back the transaction id along with the verification code. This solution requires server resources, so it is somewhat similar to session management, but it is a good compromise if you struggle keeping the session entirely on the client and when you need eventual consistency, multi tab forms, multi step processes, etc. In the upper case I would rather use the first method unless the verification code goes on a completely different communication channel like SMS, android app, etc. and there is no way or you don't want them to type it to the client manually e.g. to verify they need to click on a link arrived in SMS to their smartphone.
如果您要求使用JSON Web令牌(JWT)的Laravel Passport或Sanctum。 JWT是用于API保护的常见标准,我不会写一些有关如何做的教程,因为有很多。
if you are asking for an alternativ you can go with Laravel Passport or sanctum that using JSON Web token (JWT). JWT is common standar for API protection, i'am not going to write some tutorial on how to do that because there are plenty of them.
首先,我不建议使用无效数据进行任何形式的验证。这来自您的验证上下文,我相信您应该制作
'user_full_name'=> “必需”,因为您将使用它进行验证。其次,我认为会话或任何替代方案不是解决这种情况的好方法,我宁愿使用Auth Middleware保护验证路线,发行并返回圣所api令牌
然后,我将使用用户进入授权标头的令牌来检索用户代码,然后检查针对已发送代码的代码进行验证。 (我也会坚持验证代码)。
First Off, I wouldn't recommend using Nullable Data for Verification of any sort. This comes from your validation context, I believe you should make
'user_full_name' => 'required'since you'll be using it for verification.Secondly, I don't think Session or any alternative is a good way of solving this scenario, I'll rather protect the verification route with the auth middleware, Issue and return a Sanctum API Token
I'll then retrieve the user using the token that'll come as Authorization Header when the user enters the code, then check the code against the sent code for verification. (I'll persist the verification code too).
我只是想分享有关这个问题的一些想法。
从严格的“无状态”角度,使用会话或通过每个请求中的身份验证字段仍在使用会话。
如果您要处理一个过程,那么一系列的状态下一个领导/喂食的状态,这并不是真正的“无状态”过程。
但是,如果您只是为了提供资源,那么可能是一种真正无状态的方法。
但是,无论您如何切片,一个过程都需要状态。唯一的问题是,它在何处,验证了它以及有关如何从您的服务运输的细节。
cookie,JWT甚至URL编码状态都不是无状态的,这只是您选择如何建模该状态如何传输,摄入和维护该状态的问题。
因此,可以说,您当前的解决方案不是“错误的”,这只是在请求之间管理应用程序状态的一种可能实现。
如果您的应用程序在浏览器中运行而不是命令行,则每次请求都会自动获得cookie,标题和会话,因此您应该随时使用它们。
但是,如果您使用的是AJAX请求,则必须在其中手动提供/定义标题并维护会话,那么是的,您可能需要使用JWT或其他方法对状态进行建模。
至于如何在不重新验证其字段的情况下对用户数据之间的数据保持认识,这正是令牌的目的。
然后,您将在请求之间传递这些令牌,然后通过使用任何相关记录引用令牌来检索字段。
然后,您将管理应用程序服务器/服务中该令牌的寿命/费率限制。
无论如何,也许这很有用,洞察力。
I just wanted to share a few thoughts on the subject.
Using Sessions, or passing authentication fields in every request is still using sessions, from a strictly "stateless" perspective.
If you are dealing with a process, a series of states where one leads/feeds the next, it's not really a "stateless" process.
However, if you are simply serving resources, then yes perhaps a truly stateless approach is possible.
But no matter how you slice it, a process will require state. The only question is, where it is held, verified and the details on how it gets transported to and from your services.
Cookies, JWT or even URL encoded state are all not stateless, it's just a matter of how you choose to model how that state is transmitted, ingested verified and maintained.
So all that to say, your current solution, is not "wrong", it's just one possible implementation of managing the state of your application between requests.
If your application is running within a browser and not a command line, you automatically get Cookies, Headers and Sessions with every request, so you should feel free to use them.
If however you are using AJAX requests, where you must manually supply/define your headers and maintain Sessions, then yes you may want to model your state using JWT or other methods.
As for how do you maintain an awareness of your users data between request without revalidating their fields, that is exactly what tokens are for.
You then would pass those tokens between requests, then retrieve the fields by referencing the token with any associated records.
You then would manage the life/rate limits of that token in your application server/services.
Anyways, perhaps that is useful, insight.
我猜想您需要该值,即以后将从API烘烤的函数(另一个请求),但信息不完整。如果需要,可以选择几个替代方案。一个人将该值返回给客户端,因此可以在随后的API调用中使用。另一个是将数据存储在数据库中,并使用一些ID或令牌存储,并在响应中返回该ID或令牌,以便客户端可以在随后的API调用中使用它,您可以使用该值从数据库中检索数据。
当下一个API调用需要大量数据时,第二种方法会更好。对于几个数据点,第一位导师更好。
I'm guessing you need that value for a function that will be baked later from the API (another request), but information is incomplete. If you need that, there are a couple alternatives. One is returning that value to the client, so it can be used on a subsequent API call. Another is storing data in the database with some id or token, and return that id or token in the response so the client can use it in subsequent API calls and you can use that value to retrieve the data from the database.
The second method is better when there is a lot of data that the next API call needs. The first mentor is better for a few data points.