Design and security solutions for open Interface/restful/api Services

General Ideas

This involves two aspects of the problem:
One is the interface access authentication problem, the main solution is who can use the interface (user login authentication, routing authentication)
One is data transmission security, the main solution interface data is monitored (HTTPS secure transmission, sensitive content encryption, digital signature)

User authentication: Token and session
The Open Interface API service is actually a form of stateless interaction between the client and the server, which is somewhat similar to the rest (representational state Transfer) style.
General website applications generally use the session to store and authenticate logged-in user information (stateful), while the Open Interface Service/rest resource request uses token to authenticate the logged-on user information (stateless). Token is more like a lite session. Sessions are primarily used to maintain session information, and a cookie is saved at the client to maintain user session validity, while token is used only for the identity authentication of the logged-on user. So using tokens on the mobile side is easier and more secure than using a session, and is more consistent with the stateless definition of restful.

Token interaction Process
The client submits the user name and password via a login request, and the server verifies that the user is associated with a token and returns the token to the client.
The client carries tokens in the next request, and the server checks the login status by parsing tokens.
When the user logs out, the other terminal logs in to the same account, and the token fails for an extended period of time, the user needs to log in again.

Token generation principle
Tokens generated by the server are typically random, non-repeating strings, which, depending on the security requirements of the application, will be encrypted after the timestamp is added (through time to determine if token is compromised) or URL signature (by requesting an address to determine if token is compromised). General token content includes: User name/appid, password/appsecret, authorization URL, user-defined token (user-defined signature), timestamp, duration (seconds), System signature (sign), etc.

API Interface Service invocation process:
1. First to obtain globally unique interface call credentials (Access_token). This process must use the HTTPS secure transport protocol, otherwise intercepted interception, the user name and password and other important data are leaked.
Specific process:
A. The client sends a request over the HTTPS protocol to the server, which contains the user name, password, type of request, etc.
B. After the service has received the request, verify that the user information is correct and, if correct, return Access_token and expires. Otherwise, errorcode and ErrMsg are returned.
C. Server access_token can be stored in a session or Redis memory database, key name (key) is user_id, the key value is Access_token.
D. After the client obtains Access_token, it is saved to a memory database such as file or Redis. It is not recommended to save to session or database, save to session data is easy to lose, save to database because it involves IO read and write, performance is low.
2. Call the interface through a restful-style resource request format, such as:
Https://api.weixin.qq.com/cgi-bin/user/info?access_token=ACCESS_TOKEN&openid=OPENID&lang=zh_CN
Normally, the server returns a JSON packet to the caller, successfully returning a JSON packet containing the contents of the business data, and failing to return a JSON packet containing Errcode and errmsg

for sensitive API interfaces, the use of HTTPS protocol
HTTP is called Hypertext Transfer Protocol, using TCP port 80, by default, the data is transmitted in clear text, the data can be captured through the capture tool, so on the Interner, Some of the more important sites HTTP servers need to use PKI (Public Key Infrastructure) technology to encrypt data! This is HTTPS;
HTTPS is called a secure Hypertext Transfer Protocol, and with TCP port 443, his data is encrypted with the public key in the PKI so that the packet captured by the capture tool has no way of looking at the contents of the package because he doesn't have a key, and of course it doesn't make sense to tamper with it. Security is greatly improved and the private key in the PKI is used to decrypt the data. So some high security sites such as: Online Banking, e-commerce sites are required to use HTTPS access!

The

access_token design principle resolves
1. AppID: Interface ID number.
2. Appsecret: Password.
3. Access_token: The public number's global unique interface invokes credentials, and the public number calls each interface using Access_token. Access_token is an encrypted string, which is intended to be an interface security consideration, or it would be risky to simply call the server's interface. Access_token contains information about AppID, secret, user-defined tokens, authorization URLs, length of validity, etc. (After the login credentials, prove that you have landed, the equivalent of you take the ticket to see the concert, that you have bought a ticket, will let you in).
4. Expires_in:access_token expires because this is a third-party server call, so the server must return the notification to the third-party server for the expiration time, so that the third-party server is better processed. The Access_token is currently valid for 2 hours and needs to be refreshed periodically, and repeated acquisition will result in the Access_token failure of the last acquisition.
5. OpenID: In order to identify users, each user for each public number will produce a secure openid,openid is the result of using the user number encryption, each user has a unique OpenID for each public number, the developer can use OpenID to obtain basic user information.
6. Unionid: Used to differentiate the user's uniqueness, because the user's Unionid is unique as long as it is a mobile app, a website app, and a public account under the same open platform account. In other words, the same user, Unionid is the same for different applications under the same open platform account.

Interface Invocation Request Description
HTTPS Request mode: GET
Https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=APPID&secret=APPSECRET
Return description
Normally, the following JSON packets are returned to the public number:
{"Access_token": "Access_token", "expires_in": 7200} (Access_token storage must retain at least 512 character space, expires_in units are seconds, the validity period is 2 hours, that is, 7,200 seconds)
Error code, such as error codes, the JSON packet example is as follows (the example is AppID invalid error):
{"Errcode": 40013, "errmsg": "Invalid AppID"}

Reference article:
https://www.zhihu.com/question/20863625
http://blog.csdn.net/gebitan505/article/details/39178035
Http://www.tuicool.com/articles/jQJV3i
http://www.oschina.net/question/1433358_233412
Http://www.lai18.com/content/944366.html
http://blog.csdn.net/gebitan505/article/details/39178917
http://blog.csdn.net/gebitan505/article/details/51614805
Http://www.szweb.cn/Knowledge/5714.html

Copyright NOTICE: This document is licensed under the attribution-Non-commercial use-sharing (CC BY-NC-SA 3.0 CN) International License Agreement, please specify the author and source. This article title: Design and security scheme of open Interface/restful/api service This article link: http://www.cnblogs.com/sochishun/p/7000335.html This article Sochishun (e-mail: 14507247#qq.com | blog: http://www.cnblogs.com/sochishun/) Published: June 13, 2017

Design and security solutions for open Interface/restful/api Services