所以我有一个带端点的API,如Traceback (most recent call last):
File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/unittest/case.py", line 331, in run
testMethod()
File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/nose/loader.py", line 418, in loadTestsFromName
addr.filename, addr.module)
File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/nose/importer.py", line 47, in importFromPath
return self.importFromDir(dir_path, fqname)
File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/nose/importer.py", line 94, in importFromDir
mod = load_module(part_fqname, fh, filename, desc)
File "/Users/curtis.salisbury/Documents/local_copy/trunk/automation/selenium/src/tests/framework/test_ddt.py", line 4, in <module>
from .base_framework import BaseFramework
File "/Users/curtis.salisbury/Documents/local_copy/trunk/automation/selenium/src/tests/framework/base_framework.py", line 2, in <module>
from tests.base_test_case import BaseTestCase
File "/Users/curtis.salisbury/Documents/local_copy/trunk/automation/selenium/src/tests/base_test_case.py", line 7, in <module>
import http.client
ImportError: No module named http.client
。
转到那个并发布POST http://localhost:8080/api/authenticate和email并获得身份验证令牌。到目前为止看似稳固。
现在注册怎么样?我需要创建某种请求令牌,但是如何防止随机用户通过API创建请求令牌?我正在考虑从password生成令牌然后返回它并检查用户何时注册它是否存在。事情是任何人都可以去http://localhost:8080/api/request,即使他们没有计划注册。有什么想法吗?
答案 0 :(得分:0)
在生成auth-token(cookie)之前对用户进行身份验证...所以编写一个查询来从用户表中提取id,其中email / password匹配...所以只有当查询返回id然后你才知道用户存在且已经过“身份验证”,因此您现在可以生成一个auth-token(cookie),将其设置为usrid ...
然而,将cookie设置为usrid并不是一个好习惯!因为客户端的任何人都可以在POST请求中轻松设置/传递带有数字的cookie ...您需要实现一些加密机制来生成“会话”,然后您可以将其用作唯一的防黑客用户标识符。
我在下面的代码中编写了一个简单的加密函数,您可以使用它。
<?php
//CHECK IF POST DATA IS EMPTY IF SO KILL THE SCRIPT
if(empty($_POST['email']) || empty($_POST['pass'])){
//echo("error msg");
die();
}
$mysqli = new mysqli('localhost', 'root', 'root', 'accounts');
$pass = md5($_POST['pass']);
$query = "SELECT `id` FROM `users` WHERE `email` = '"
. $mysqli->real_escape_string($_POST['email'])
. "' AND `password` = '"
. $mysqli->real_escape_string($_POST['pass']) . "'";
//INITIATE DB REQUEST
$result = $mysqli->query($query);
//SELECT ID(OBJ) FROM THE RESULT OBJECT
$usrid = $result->fetch_object()->id;
//IF $USRID IS TRUE... USER DOES EXIST (AUTHENTICATED)
if ($usrid) {
$sesh = create_session($usrid);
update_session($usrid, $sesh);
setcookie("usersesh", $sesh, 0,"/");
} else {
//echo("error msg");
}
$result->free();
$mysqli->close();
function create_session($usrid) {
$time = microtime();
$hash = substr($time, 2, 3);
$key = $usrid * $hash;
$sesh = md5($key);
return $sesh;
}
function update_session($usrid, $sesh) {
$mysqli = new mysqli('localhost', 'root', 'root', 'accounts');
$query = "UPDATE `users` SET `session` = '"
. $mysqli->real_escape_string($sesh) . "' WHERE `id` = '"
. $mysqli->real_escape_string($usrid) . "'";
$mysqli->query($query);
$mysqli->close();
}
?>