Source code Design API authentication based on Tornado signature cookie

Idea 1

Server client to save the same string of strings, the client sends an API request with this string to my server to do the validation, by returning the corresponding data, otherwise deny access

Disadvantages

The hacker intercepts the request information, can obtain the string directly, wants the service side to send the request and can obtain the data, the security is too low

Idea 2

Set the dynamic random verification code, then the string we do not change, the use of time dynamic, we put a fixed string with the current request time, using the MD5 encryption algorithm to generate random verification code, then we send the data, in addition to the random verification code to occur, but also to the time of the current request is sent to the server , so that the server can take advantage of the client's time and implementation of the good check string with encryption in contrast to the customer service side to determine whether the same,

Advantages

1. Time limit

2. Encryption rule restrictions (strings cannot be modified)

Disadvantages

Seemingly perfect, but exposed to the problem is also fatal, equivalent to each of you generate a verification code as long as the hacker intercepted, it is effective, that is, as the project running time increases, hackers have access to your API interface authentication string can be sold

Idea 3

On the basis of the above, add an expiration time limit, that is, when the user first visit, the validation string and the corresponding time as a key value stored and set the time-out (this can be placed in Redis or MongoDB, because they can set the key value of the pair to set the time-out period, Timeout Auto Clear)

Advantages

Set up three levels to verify the legitimacy of the user

Small bug

Hacker's speed is much faster than you, in the way you send, hackers intercepted and first you send a successful, then you become an illegal user, of course, the probability that this situation occurs is very small,.

Treatment methods

Encrypt the entire data you send, so even if the hacker gets your data and submits it faster than you, it's equivalent to submitting your data.

Learn more about Bash here

Import Requestsimport timeimport hashlibdef MD5 (ARG): HS=hashlib.md5 () hs.update (Arg.encode ('Utf-8'))    returnhs.hexdigest () key="ASDFUASODIJFOAUSFNASDF"CTime=Str (time.time ()) New_key="%s|%s"% (Key,ctime,) # asdfuasodijfoausfnasdf|time Stamp Md5_str=MD5 (new_key) # 6f800b6a11d3f9c08c77ef8f77b2d460, # ASDFUASODIJFOAUSFNASDF|time Stamp Auth_header_val="%s|%s"% (Md5_str,ctime,) # 6f800b6a11d3f9c08c77ef8f77b2d460|Timestamp print (auth_header_val) Response= requests.Get('http://127.0.0.1:8000/api/test.html', headers={'Auth-api': Auth_header_val}) Print (Response.text)

Client Code

Import Hashlibimport timedef MD5 (ARG): HS=hashlib.md5 () hs.update (Arg.encode ('Utf-8'))    returnhs.hexdigest () key="ASDFUASODIJFOAUSFNASDF"# Redis,memcachevisited_keys= {    # "841770F74EF3B7867D90BE37C5B4ADFC"TimeTen}def Api_auth (func): def inner (request,*args,**Kwargs): Server_float_ctime=time.time () auth_header_val= Request. META.Get('Http_auth_api') # 841770F74EF3B7867D90BE37C5B4ADFC|1506571253.9937866Client_md5_str, Client_ctime= Auth_header_val.split ('|', maxsplit=1) Client_float_ctime=float(client_ctime) # First offif(Client_float_ctime + -) <Server_float_ctime:returnHttpResponse ('It 's been a long time, so go buy one.') # Second pass: Server_md5_str= MD5 ("%s|%s"%(Key, Client_ctime,))ifServer_md5_str! =Client_md5_str:returnHttpResponse (' Don't') # Third pass:ifVisited_keys.Get(CLIENT_MD5_STR):returnHttpResponse ('you give up, it's late.') Visited_keys[client_md5_str]=Client_float_ctimereturnFunc (request,*args,**Kwargs)returninner@api_authdef Test (Request):returnHttpResponse ('Normal User')

Service-side code

The server writes our API-validated code block in the form of adorners ~ ~ ~

Source code Design API authentication based on Tornado signature cookie