"Reprint" API permission design Summary

This article transfers from: http://blog.csdn.net/initphp/article/details/8636669

API Permissions Design Summary:

Recently in doing API permissions design this piece, do a summary of the authority design.

1. Suppose we need access to the API interface is this: http://xxxx.com/openapi/v1/get/user/?key=xxxxx&sign=sadasdas&timestamp=2013-03-05 10:14:00&c=c&a=a&d=d

2. Controller called by the interface:openapi/v1/get/user/

3. Step one: As a server, first check whether the parameters are correct:key (the user's key), sign (the encrypted signature string), timestamp (the time of the request, the server has time for the request to take effect), these parameters if there is a parameter is not passed, The result of an incorrect return parameter is definitely returned.

4. Step two: If the parameters are passed correctly, this time need to check the API Whitelist permissions , API is (openapi/v1/get/user/) exist in our database, there will generally be an API data table, If the calling API is not in our database whitelist or the API has been closed for access, the result of the forbidden access is returned.

5. Step three: If the API is in the whitelist, then it is necessary to check the user's key is correct, the server will have a User rights table, the data table is mainly used to record the user's key Secret (key) and API permissions list, check the user's access to the API (openapi/ v1/get/user/) Whether there is permission, if there is permission to pass, no permission is closed.

6. Step four: If the user right through, this time to the most important step, sign signature verification.

Signature algorithm:

Encryption mode MD5 (post parameter (in ascending order except key sign parameter) + user key)

PHP Cryptographic Algorithm Code:

1 foreach($p  as $v) {  2             $temp=Explode("=",$v); 3             $PARR[$temp[0]] =$temp[1]; 4         }  5 Ksort($PARR); 6         foreach($PARR  as $k=$v) {      7             $PSTR 2.=$k.$v ; 8         }  9 MD5($PSTR 2.$secret)

Note: When encrypting, you need to take timestamp with you to prevent client tampering.

Clients, the parameters they need to be passed in ascending order, and then add their own key corresponding keys (the key in the server database has a save, this is not publicly available) for MD5 encryption, through the parameter sign passed to the server.

Service side to get the sign value, the parameters passed over the same algorithm to sort, and through the user's key query to get the key, and then a cryptographic algorithm, the service side of the sign and the client passed through the comparison, if the same means that it can be passed, If someone in the middle of the data tampering, then the final encryption of the sign is inconsistent, so as to ensure the user to pass the data reliability and security.

7. Step Five: Check the timestamp time , compare the client time and service side time in 10 minutes , if 10 minutes away, then return the hint of timeout, so as to ensure that the call interface data can be destroyed within a certain time.

8. Step six: Invoke the appropriate logic

API Permissions Design Summary:

Recently in doing API permissions design this piece, do a summary of the authority design.

1. Suppose we need access to the API interface is this: http://xxxx.com/openapi/v1/get/user/?key=xxxxx&sign=sadasdas&timestamp=2013-03-05 10:14:00&c=c&a=a&d=d

2. Controller called by the interface:openapi/v1/get/user/

3. Step one: As a server, first check whether the parameters are correct:key (the user's key), sign (the encrypted signature string), timestamp (the time of the request, the server has time for the request to take effect), these parameters if there is a parameter is not passed, The result of an incorrect return parameter is definitely returned.

4. Step two: If the parameters are passed correctly, this time need to check the API Whitelist permissions , API is (openapi/v1/get/user/) exist in our database, there will generally be an API data table, If the calling API is not in our database whitelist or the API has been closed for access, the result of the forbidden access is returned.

5. Step three: If the API is in the whitelist, then it is necessary to check the user's key is correct, the server will have a User rights table, the data table is mainly used to record the user's key Secret (key) and API permissions list, check the user's access to the API (openapi/ v1/get/user/) Whether there is permission, if there is permission to pass, no permission is closed.

6. Step four: If the user right through, this time to the most important step, sign signature verification.

Signature algorithm:

Encryption mode MD5 (post parameter (in ascending order except key sign parameter) + user key)

PHP Cryptographic Algorithm Code:

1 foreach($p  as $v) {  2             $temp=Explode("=",$v); 3             $PARR[$temp[0]] =$temp[1]; 4         }  5 Ksort($PARR); 6         foreach($PARR  as $k=$v) {      7             $PSTR 2.=$k.$v ; 8         }  9 MD5($PSTR 2.$secret)

Note: When encrypting, you need to take timestamp with you to prevent client tampering.

Clients, the parameters they need to be passed in ascending order, and then add their own key corresponding keys (the key in the server database has a save, this is not publicly available) for MD5 encryption, through the parameter sign passed to the server.

Service side to get the sign value, the parameters passed over the same algorithm to sort, and through the user's key query to get the key, and then a cryptographic algorithm, the service side of the sign and the client passed through the comparison, if the same means that it can be passed, If someone in the middle of the data tampering, then the final encryption of the sign is inconsistent, so as to ensure the user to pass the data reliability and security.

7. Step Five: Check the timestamp time , compare the client time and service side time in 10 minutes , if 10 minutes away, then return the hint of timeout, so as to ensure that the call interface data can be destroyed within a certain time.

8. Step six: Invoke the appropriate logic

"Reprint" API permission design Summary