绕过摘要身份验证中间件(具有Zend表现力)?

时间:2018-11-29 15:07:04

标签: php authentication middleware digest-authentication zend-expressive

所以我正在研究使用摘要身份验证中间件的api。 如果请求中存在特定参数,我希望能够完全绕过身份验证。

public function process(ServerRequestInterface $request, DelegateInterface $delegate)
{
    /* TODO:: Figure out how to bypass the digest auth below */
    /* Have tried: (if detect particular parameter) */
    // return new Response\HtmlResponse(true);
    // return new Response();

    /* Begin digest authentication */
    $authentication = new DigestAuthentication($this->credentials);
    $authentication->realm($this->realm);
    $authentication->nonce(uniqid());

    return $authentication(
        $request,
        new Response(),
        function ($request) use ($delegate) {
            return $delegate->process($request);
        }
    );
}

小伙子们,我有正确的主意吗?欢迎任何帮助或建议!

1 个答案:

答案 0 :(得分:0)

您有几种选择:

  1. 如果Api只有几条需要身份验证的路由,则可以仅手动为这些路由添加中间件,因此其余路由将不需要身份验证。例如:
 'home'    => [
                    'path'            => '/',
                    'middleware'      => [YourAuthenthicationMiddleware::class, HomePageHandler::class],
                    'allowed_methods' => ['GET'],
                    'name'            => 'home',

                ],
  1. 如果有几条不需要身份验证的路由,可以将其置于不同于Apis的路径中,并添加以下管道:
$app->pipe('/api', YourAuthenthicationMiddleware::class);

No auth path: /myApp/any/path
Auth path: /api/any/path
  1. 为每个路由设置一个密钥,并在身份验证中间件中对其进行检查
Route:
'login'   => [
                    'path'            => '/login[/]',
                    'middleware'      => LoginHandler::class,
                    'allowed_methods' => ['GET', 'POST'],
                    'name'            => 'login',
                    'authentication'  => [
                        'bypass' => true,
                    ],
                ],

AuthenticationMiddleware:

$this->routeConfiguration    = $config['routes'];
$routeResult = $request->getAttribute(RouteResult::class);
...
if (empty($this->routeConfiguration[$routeResult->getMatchedRouteName()]['authentication']['bypass'])) {
//try to authenticate
}

对于最后一个选项,请确保已注入此管道:

$app->pipe(RouteMiddleware::class);