A brief analysis of PHP api_token and User_token

Objective:

---> Non-open platform

---> In-house products

Interface Features Summary:

1, because of non-open, so all the interface is closed, only for the company's internal products effective;

2, because the non-open, so oauth that set of protocol is not feasible, because there is no intermediate user authorization process;

3, some interfaces require users to log in to access;

4, some interfaces do not require users to log on to access;

For the above characteristics, mobile and server-side communication requires 2 keys, that is, 2 tokens.

The first token is for the interface (Api_token);

The second token is for the user (User_token);

Say first token(api_token)

Its responsibility is to maintain interface access to the concealment and effectiveness, to ensure that the interface can only be used for their own people, how to do? The following ideas:

Now the interface is basically the MVC pattern, the URL is basically restful style, the URL in the general format as follows:

http://cnblogs.com/Module name/Controller name/method name? parameter Name 1 = argument value 1& parameter Name 2 = argument value 2& parameter name 3 = parameter Value 3

The interface token generation rules are referenced as follows:

Api_token = MD5 (' module name ' + ' controller name ' + ' method name ' + ' 2013-12-18 ' + ' encryption key ') = 770fed4ca2aabd20ae9a5dd774711de2

One of the

1, ' 2018-06-03 ' is the time of the day,

2, ' encryption key ' is a private encryption key, the mobile phone needs to register an "interface user" account on the server, the system will be assigned an account and password, data table design reference as follows:

Field name	Field type	Comments
client_id	varchar (20)	Client ID
Client_secret	varchar (20)	Client (encryption) key

(Note: Only the core fields are listed, other extensions!!!) ）

Service-side interface verification, PHP implementation process is as follows:

<?php//1, get the Get parameter value $module = $_get[' mod '); $controller = $_get[' ctl '] $action = $_get[' act ']; $client _id = $_get[' Client _id ']; $api _token = $_get[' api_token];//2, according to the client passed client_id, query the database, get the corresponding Client_secret$client_secret = Getclientsecretbyid ($client _id);//3. Regenerate a copy of the server Api_token$api_token_server = MD5 ($module. $controller. $action  . Date (' y-m-d ', Time ()).  $client _secret);//4, the client-passed Api_token and the server-generated api_token to proofread, if not equal, the validation fails if ($api _token! = $api _token_server) {    Exit (' access deny ');  Deny access to}//5, validate pass, return data to client//...?>

　　

Say the second token (user_token)

Its role is to protect the user's user name and password multiple submissions, in case the password leaks.

If the interface requires a user to log in, the access process is as follows:

1, users submit "user name" and "password", to achieve login (conditions allow, this step is best to go HTTPS);

2, after the successful login, the server returns a User_token, the generated rule reference is as follows:

The service side uses the data table to maintain the status of the User_token, and the table is designed as follows:

Field name	Field type	Comments
user_id	Int	User ID
User_token	varchar (36)	User Token
Expire_time	Int	Expiration Time (Unix timestamp)

(Note: Only the core fields are listed, other extensions!!!) ）

After the server generates User_token, return to the client (own storage), each time the client interface requests, if the interface requires users to log in to access, you need to send user_id and user_token back to the server, the service side to accept the 2 parameters, the following steps need to do:

1, the effectiveness of testing api_token;

2, delete the expired User_token table records;

3, according to user_id,user_token get table records, if the table record does not exist, directly return the error, if the record exists, then proceed to the next step;

4, update the expiration time of the User_token (delay, to ensure that the validity of continuous operation is not lost line);

5, return interface data;

The interface use cases are as follows:

1, publish the log

Url:http://www.cnblogs.com/klsfct/p/9110590.html?client_id=wt3734wy636dhd3636sr5858t6&api_token=880fed4ca 2aabd20ae9a5dd774711de2&user_token=etye0fgkgk4ca2aabd20ae9a5dd77471fgf&user_id=12

Request Method: POST

Post parameters: title= I am the title &content= I am content

Return Data:

{
' Code ' = 1,//1: Success 0: Failure
' msg ' = ' operation succeeded '//Login failed, unauthorized access
' Data ' = []
}

A brief analysis of PHP api_token and User_token