一类动词二类动词三类动词_基于http动词的完全无效授权技术
一類動詞二類動詞三類動詞
Authorization is a basic feature of modern web applications. It’s a mechanism of specifying access rights or privileges to resources according to user roles. In case of CMS like applications, it needs to be equipped with advanced libraries and authorization techniques. But for minimal applications a full fledged library can be an overhead.
授權(quán)是現(xiàn)代Web應(yīng)用程序的基本功能。 這是一種根據(jù)用戶角色指定對資源的訪問權(quán)限或特權(quán)的機(jī)制。 如果是類似CMS的應(yīng)用程序,則需要配備高級庫和授權(quán)技術(shù)。 但是對于最少的應(yīng)用程序來說,完整的庫可能會增加開銷。
I will discuss a dead simple authorization technique based on HTTP verbs, for this particular purpose.
為此,我將討論一種基于HTTP動詞的簡單授權(quán)技術(shù)。
事前要考慮的事情 (Things to consider beforehand)
This technique isn’t something you can implement anywhere. Use this only if your requirements match the particular scenario.
您無法在任何地方實(shí)施此技術(shù)。 僅當(dāng)您的要求符合特定情況時才使用此選項(xiàng)。
- It works only for REST APIs. Everything happens on middleware layer. If you have a simple MVC based REST APIs, this is for you. 它僅適用于REST API。 一切都發(fā)生在中間件層上。 如果您有一個簡單的基于MVC的REST API,則適合您。
- It heavily relies on the HTTP verbs and the URL naming convention. So API endpoints should be super clear and structured. Similar to some structure like this one. 它在很大程度上依賴于HTTP動詞和URL命名約定。 因此,API端點(diǎn)應(yīng)該超級清晰和結(jié)構(gòu)化。 類似于這種結(jié)構(gòu)。
Product Detail : GET /products/{id}
Create Product : POST /products
Update Product : PUT /products/{id}
Delete Product : DELETE /products/{id}
- A URL can perform many stuffs; but all cannot be expressed just in its naming and HTTP verb. If you require complex authorization, you can’t just rely on this technique. URL可以執(zhí)行許多工作; 但不能僅使用其命名和HTTP動詞來表示所有內(nèi)容。 如果您需要復(fù)雜的授權(quán),則不能僅僅依靠這種技術(shù)。
Lets implement the dead simple authorization technique based on HTTP verbs. For demo purpose we will be using Nodejs. You can implement it on any language and platform of your choice: core Nodejs, ExpressJS, aws Lambda etc..
讓我們基于HTTP動詞實(shí)現(xiàn)完全無效的簡單授權(quán)技術(shù)。 出于演示目的,我們將使用Nodejs。 您可以在您選擇的任何語言和平臺上實(shí)現(xiàn)它:核心Node.js,ExpressJS,aws Lambda等。
步驟1:將用戶角色編碼為JWT令牌 (Step 1: Encode user role into JWT Token)
JWT token is the key thing here. It contains the user role encoded in it. The token is returned when user logs in.
JWT令牌是這里的關(guān)鍵。 它包含其中編碼的用戶角色。 用戶登錄時將返回令牌。
const jwt = require(‘jsonwebtoken’);const token = jwt.sign({…
role: userData.role
}, JWT_KEY);
On the next API call, the token is passed as the value of Authorization header field.
在下一個API調(diào)用中,令牌作為Authorization標(biāo)頭字段的值傳遞。
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdW...第2步:解碼令牌并檢查權(quán)限 (Step 2: Decode token and check permissions)
When request is sent to the web server with JWT token attached on header, it goes through a middleware layer. Inside the layer the token is extracted, decoded. To check for permission we require two information.
當(dāng)請求發(fā)送到帶有標(biāo)頭上的JWT令牌的Web服務(wù)器時,請求將通過中間件層。 在該層內(nèi)部,令牌被提取,解碼。 要檢查許可,我們需要兩個信息。
- User role: decoded from token 用戶角色:從令牌解碼
- Resource name: identified from request URL 資源名稱:從請求URL標(biāo)識
The mechanism of retrieving HTTP verb and resource name may differ according to the language or framework being used. Above code is only for demonstration purpose.
根據(jù)所使用的語言或框架,檢索HTTP動詞和資源名稱的機(jī)制可能有所不同。 上面的代碼僅用于演示目的。
The permissions for resources according to user roles are stored in the following manner. Each of the roles have access to certain resources. Within resources they can perform certain actions determined by HTTP verbs.
根據(jù)用戶角色的資源許可以以下方式存儲。 每個角色都可以訪問某些資源。 在資源內(nèi),他們可以執(zhí)行由HTTP動詞確定的某些動作。
const PERMISSIONS = {"vendor": {"products": ["POST", "PUT", "DELETE", "GET"],"orders": ["POST", "PUT", "DELETE", "GET"],"stores": ["POST", "PUT", "DELETE", "GET"],"dashboard": ["GET"]},"customer": {"products": ["GET"],"orders": ["GET"],"stores": ["GET"],"comments": ["GET", "POST"],"shopping-carts": ["GET", "POST"],"dashboard": ["GET"]},"admin": {"products": ["POST", "PUT", "DELETE", "GET"],"orders": ["POST", "PUT", "DELETE", "GET"],"stores": ["POST", "PUT", "DELETE", "GET"],"comments": ["POST", "PUT", "DELETE", "GET"],"shopping-carts": ["POST", "PUT", "DELETE", "GET"],"dashboard": ["POST", "PUT", "DELETE", "GET"]} };The method below returns whether the user is allowed to access the resource or not.
下面的方法返回是否允許用戶訪問資源。
function checkPermission(role, resource, httpVerb){if (PERMISSIONS[role] && PERMISSIONS[role][resource]) return PERMISSIONS[role][resource].includes(httpVerb);return false; }// Example// request from "admin" // POST https://test-domain.com/products/ => true// request from "customer" // POST https://test-domain.com/products/ => falseBased on the result, the API request can be forwarded to the next middleware layer/controller or the request can be denied with error response.
根據(jù)結(jié)果??,可以將API請求轉(zhuǎn)發(fā)到下一個中??間件層/控制器,也可以通過錯誤響應(yīng)拒絕該請求。
The approach may work only for certain use cases(as mentioned above). If you have the same scenario, instead of relying on heavy libraries you can implement the technique fast and easy.
該方法可能僅適用于某些用例(如上所述)。 如果您具有相同的方案,則無需依賴繁瑣的庫,而是可以快速輕松地實(shí)現(xiàn)該技術(shù)。
What do you think about this technique ? Do you have some other better approach ? Please share it on the comments below.
您如何看待這種技術(shù)? 您還有其他更好的方法嗎? 請在下面的評論中分享。
翻譯自: https://medium.com/@bibhutipd/dead-simple-authorization-technique-based-on-http-verbs-7a2c3cfbde2f
一類動詞二類動詞三類動詞
總結(jié)
以上是生活随笔為你收集整理的一类动词二类动词三类动词_基于http动词的完全无效授权技术的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 梦到蛇追你是怎么回事
- 下一篇: 一年了