Shulou(Shulou.com)06/01 Report--

Token design principle

Summary of interface features:

1. Because it is not open, all interfaces are closed and are only valid for products within the company.

2. Because it is not open, OAuth's protocol is not feasible because there is no authorization process for intermediate users.

3. Some interfaces require users to log in to access them.

4. Some interfaces can be accessed without user login.

PHP Token (token)

In view of the above characteristics, the communication between the mobile and the server requires two keys, that is, two token.

The first token is for the interface (api_token)

The second token is for users (user_token)

Let's start with the first token (api_token)

Its duty is to maintain the concealment and validity of the interface access, and to ensure that the interface can only be used by one's own family. The reference ideas are as follows:

A random string is generated according to the common attributes of both the server and the client, the client generates the string, and the server generates a string according to the same algorithm, which is used to verify the client string.

The current interface is basically in mvc mode, and URL is basically in restful style. The general format of URL is as follows:

Http://blog.snsgou.com/ module name / controller name / method name? Parameter name 1 = parameter value 1 & parameter name 2 = parameter value 2 & parameter name 3 = parameter value 3

For more information on the generation rules for API token, please see:

Api_token = md5 ('module name' + 'controller name' + 'method name' + '2013-12-18' +' encryption key') = 770fed4ca2aabd20ae9a5dd774711de2

One of them

1. '2013-12-18' is the time of the day.

2. The "encryption key" is a private encryption key. After the mobile phone registers an "interface user" account with the server, the system will assign an account and password. The design of the data table is as follows:

Field name Field Type comment

Client_id varchar (20) client ID

Client_secret varchar (20) client (encrypted) key

Server interface verification. The PHP implementation process is as follows:

And then the second token (user_token)

Its duty is to protect the user's user name and password from being submitted multiple times to prevent the password from being disclosed.

If the interface requires a user to log in, the access process is as follows:

1. Users submit "user name" and "password" to log in (if conditions permit, it is best to use https)

2. After a successful login, the server returns a user_token. The generation rules are as follows:

User_token = md5 ('user's uid' +' Unix timestamp') = etye0fgkgk4ca2aabd20ae9a5dd77471fgf

The server maintains the status of user_token with a data table, which is designed as follows:

Field name field type comment user_idint user IDuser_tokenvarchar (36) user tokenexpire_timeint expiration time (Unix timestamp)

(note: only the core fields are listed, and then expand the rest! )

After the server generates the user_token, it returns it to the client (self-storage). Each time the client requests an API, if the interface requires a user login to access it, the user_id and user_token need to be passed back to the server. After receiving these two parameters, the server needs to take the following steps:

1. Test the effectiveness of api_token.

2. Delete expired user_token records

3. Get the table record according to user_id,user_token. If the table record does not exist, return an error directly. If the record exists, proceed to the next step.

4. Update the expiration time of user_token (extended to ensure continuous operation within its validity period)

5. Return interface data

The example of the interface is as follows:

1. Publish log

URL: http://blog.snsgou.com/blog/Index/addBlog?client_id=wt3734wy636dhd3636sr5858t6&api_token=880fed4ca2aabd20ae9a5dd774711de2&user_token=etye0fgkgk4ca2aabd20ae9a5dd77471fgf&user_id=12

Request method: POST

POST parameter: title= I am the title & content= I am the content

Return data:

{

'code' = > 1, / / 1: success 0: failure

'msg' = >' Operation succeeded'/ / Login failed and no right to access

'data' = > []

}

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.