Authorization verification of yii2 resetful
What is a restful style API? We have written a large article before to introduce its concepts and basic operations.
Now that I have written it, what should I say today?
This article is mainly written for the deployment of APIs in actual scenarios.
Today we are going to talk about the authorization verification problems encountered by the API in those years! Exclusive work, if you benefit from reading it, please don’t forget to give me a like.
Business Analysis
Let’s first understand the entire logic
1. The user fills in the login form on the client
2. The user submits the form and the client requests the login interface login
3. The server verifies the user's account and password, and returns a valid token to the client
4. The client gets the user's token and stores it in the client such as a cookie
5 .The client carries the token to access interfaces that require verification, such as the interface for obtaining user personal information
6. The server verifies the validity of the token, and the verification passes. Anyway, it returns the information needed by the client. If the verification fails, the user needs to try again. Login
In this article, we take the user login and obtain the user's personal information as an example to give a detailed and complete explanation.
The above is the focus of this article. Don't get excited or nervous yet. After analyzing it, we will proceed step by step with the details.
Preparation work
1. You should have an api application.
2. For the client, we are going to use postman for simulation. If your Google browser has not installed postman, please do it yourself first Download
3. The user table to be tested needs to have an api_token field. If not, please add it yourself first and ensure that the field is long enough
4. The api application turns on route beautification and configures post type login first. Operation and get type signup-test operation
5. Close the session session of the user component
Regarding the 4th and 5th points of the above preparations, let’s post the code for easy understanding
'components'=> [
'user'=> [
'identityClass'=>'common\models\User',
'enableAutoLogin'=> true,
'enableSession'=> false,
],
'urlManager'=> [
'enablePrettyUrl'=> true,
'showScriptName'=> false,
'enableStrictParsing'=> true,
'rules'=> [
[
'class'=>'yii\rest\UrlRule',
'controller'=> ['v1/user'],
'extraPatterns'=> [
'POST login'=>'login',
'GET signup-test'=>'signup-test',
]
],
]
],
// ......
],signup-test operation We will add a test user later to facilitate the login operation. Other types of operations will need to be added later.
Selection of authentication class
The model class we set in api\modules\v1\controllers\UserController points to the common\models\User class. In order to illustrate the key points, we will not take it separately here. It has been rewritten. Depending on your needs, if necessary, copy a separate User class to api\models.
To verify user permissions, we take yii\filters\auth\QueryParamAuth as an example
useyii\filters\auth\QueryParamAuth;
publicfunctionbehaviors()
{
returnArrayHelper::merge (parent::behaviors(), [
'authenticator'=> [
'class'=> QueryParamAuth::className()
]
] );
}In this case, doesn’t all operations that access the user require authentication? That doesn't work. Where does the token come from when the client first accesses the login operation? [yii\filters\auth\QueryParamAuth] provides an external attribute for filtering actions that do not require verification. We slightly modify the behaviors method of UserController
publicfunctionbehaviors()
{
returnArrayHelper::merge (parent::behaviors(), [
'authenticator'=> [
'class'=> QueryParamAuth::className(),
'optional'=> [
'login',
'signup-test'
],
]
] );
}这样login操作就无需权限验证即可访问了。
添加测试用户
为了避免让客户端登录失败,我们先写一个简单的方法,往user表里面插入两条数据,便于接下来的校验。
UserController增加signupTest操作,注意此方法不属于讲解范围之内,我们仅用于方便测试。
usecommon\models\User;
/**
* 添加测试用户
*/
publicfunctionactionSignupTest ()
{
$user=newUser();
$user->generateAuthKey();
$user->setPassword('123456');
$user->username ='111';
$user->email ='111@111.com';
$user->save(false);
return[
'code'=> 0
];
}如上,我们添加了一个username是111,密码是123456的用户
登录操作
假设用户在客户端输入用户名和密码进行登录,服务端login操作其实很简单,大部分的业务逻辑处理都在api\models\loginForm上,来先看看login的实现
useapi\models\LoginForm;
/**
* 登录
*/
publicfunctionactionLogin ()
{
$model=newLoginForm;
$model->setAttributes(Yii::$app->request->post());
if($user=$model->login()) {
if($userinstanceofIdentityInterface) {
return$user->api_token;
}else{
return$user->errors;
}
}else{
return$model->errors;
}
}登录成功后这里给客户端返回了用户的token,再来看看登录的具体逻辑的实现
新建api\models\LoginForm.PHP
<?php
namespaceapi\models;
useYii;
useyii\base\Model;
usecommon\models\User;
/**
* Login form
*/
classLoginFormextendsModel
{
public$username;
public$password;
private$_user;
constGET_API_TOKEN ='generate_api_token';
publicfunctioninit ()
{
parent::init();
$this->on(self::GET_API_TOKEN, [$this,'onGenerateApiToken']);
}
/**
* @inheritdoc
* 对客户端表单数据进行验证的rule
*/
publicfunctionrules()
{
return[
[['username','password'],'required'],
['password','validatePassword'],
];相关推荐:
The above is the detailed content of Authorization verification of yii2 resetful. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to verify signature in PDF
Feb 18, 2024 pm 05:33 PM
We usually receive PDF files from the government or other agencies, some with digital signatures. After verifying the signature, we see the SignatureValid message and a green check mark. If the signature is not verified, the validity is unknown. Verifying signatures is important, let’s see how to do it in PDF. How to Verify Signatures in PDF Verifying signatures in PDF format makes it more trustworthy and the document more likely to be accepted. You can verify signatures in PDF documents in the following ways. Open the PDF in Adobe Reader Right-click the signature and select Show Signature Properties Click the Show Signer Certificate button Add the signature to the Trusted Certificates list from the Trust tab Click Verify Signature to complete the verification Let
Detailed method to unblock using WeChat friend-assisted verification
Mar 25, 2024 pm 01:26 PM
1. After opening WeChat, click the search icon, enter WeChat team, and click the service below to enter. 2. After entering, click the self-service tool option in the lower left corner. 3. After clicking, in the options above, click the option of unblocking/appealing for auxiliary verification.
How to validate IFSC code using regular expressions?
Aug 26, 2023 pm 10:17 PM
Indian Financial System Code is the abbreviation. Indian bank branches participating in the electronic funds transfer system are identified by a special 11-character code. The Reserve Bank of India uses this code in internet transactions to transfer funds between banks. IFSC code is divided into two parts. Banks are identified by the first four characters, while branches are identified by the last six characters. NEFT (National Electronic Funds Transfer), RTGS (Real Time Gross Settlement) and IMPS (Immediate Payment Service) are some of the electronic transactions that require IFSC codes. Method Some common ways to validate IFSC codes using regular expressions are: Check if the length is correct. Check the first four characters. Checkthefifthcharacter.Che
How to verify whether the input is full-width characters in golang
Jun 25, 2023 pm 02:03 PM
In golang, Unicode encoding and rune type are required to verify whether the input is full-width characters. Unicode encoding is a character encoding standard that assigns a unique numeric code point to each character in the character set, which includes full-width characters and half-width characters. The rune type is the type used to represent Unicode characters in golang. The first step is to convert the input into a rune type slice. This can be converted by using golang's []rune type, e.g.
How to verify whether input is uppercase letters in golang
Jun 24, 2023 am 09:06 AM
Golang is a high-performance, modern programming language that often involves string processing in daily development. Among them, validating whether the input is in uppercase letters is a common requirement. This article will introduce how to verify whether the input is uppercase letters in Golang. Method 1: Use the unicode package. The unicode package in Golang provides a series of functions to determine the encoding type of characters. For uppercase letters, the corresponding encoding range is 65-90 (decimal), so we can use unicod
New features in PHP 8: Added verification and signing
Mar 27, 2024 am 08:21 AM
PHP8 is the latest version of PHP, bringing more convenience and functionality to programmers. This version has a special focus on security and performance, and one of the noteworthy new features is the addition of verification and signing capabilities. In this article, we'll take a closer look at these new features and their uses. Verification and signing are very important security concepts in computer science. They are often used to ensure that the data transmitted is complete and authentic. Verification and signatures become even more important when dealing with online transactions and sensitive information because if someone is able to tamper with the data, it could potentially
Authentication using Google reCAPTCHA in PHP
Jun 19, 2023 pm 05:38 PM
In the modern online world, website security and the protection of user privacy have become increasingly important topics. Among them, the technical method of human-machine verification has become one of the indispensable ways to prevent malicious attacks. GooglereCAPTCHA is a tool that is widely used for human-machine verification. Its concept has been deeply rooted in the hearts of the people, and its presence can even be seen on many websites we use every day. In this article, we will explore how to use GooglereCAPTCHA for verification in PHP
How to verify whether the input is all Chinese characters in golang
Jun 24, 2023 am 09:16 AM
With the development of the times, we pay more and more attention to the verification of data, especially the verification of user input. For language verification, how to accurately determine whether the input is all Chinese characters has become an important issue. In golang, we can use the unicode package and regexp package to achieve this requirement. 1. Unicode package The unicode package provides a series of core support for Unicode. We can use the functions in this package to accurately determine whether a character is a Chinese character.
