Shulou(Shulou.com)06/02 Report--

This article shows you what the Token design is in API interface design. The content is concise and easy to understand. It will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

In the actual website design, we often encounter the problems of user data authentication and encryption, if we achieve a single point, if we ensure that the data is accurate, how to replay, how to prevent CSRF and so on.

Among them, the design of Token is inevitably involved in all service design.

At present, based on the generator of Token, we divide Token generation into two types.

1. Visible encryption request method based on user / website

2. Invisible encryption request method based on communication between servers (API Token)

Among them, based on the request of the non-server side, we need to carry out some custom processing according to the actual application scenario.

In this discussion, we divide non-service requests into two parts.

Login status Token that needs to be logged in

Temporary Token that does not require login

Of the two requests:

1. Non-login requests require users to randomly generate a unique and timely token when they visit the page, and the token is different for each request. The modification method is used when there are many requests that do not need a login interface and static pages cannot be used. Token will fail within a certain period of time, so as to prevent the interface that does not need to be crawled by the machine.

2. In the login status, the token will be saved for a certain period of time, and the token in the page will be identified as the user identity. At the same time, the Token in the login state needs to use session and page information to prevent it from being used.

Although there are some differences between the two functions, the principle of implementation is the same.

1. Non-login client Token

{Session} in the signature algorithm is used to determine the request of the current page through encrypted information.

The ip and browser information of visitors are recorded in {browser Summary} to prevent token from being used by different machines.

Use the scene:

The media temporarily accesses the page to prevent the crawler from accessing other interfaces indefinitely after obtaining the token

Dynamic temporary interface to prevent machines from constantly acquiring data in dynamic temporary page information

2. Login status Token

The login Token is generally generated by the server after the user logs in and is saved in the browser for a long time to save the user's login status.

At the same time, we can also add certain verification elements to the Token, such as browser information, ip, and get Cookies.

Token=Encode (MD5 ({session} + {user Information Summary} + {Timestamp}) + TimeStamp)

If we log in and visit a page with strong timeliness, we can add the check of session, set the valid time of session, and realize the check function of automatic exit.

TimeStamp is used to verify the generation time of Token.

At the same time, you can use redis's Hset to achieve multi-sign-on and single sign-on functions.

Single point: automatically removes the previous token after login.

Multipoint: add user Token list after login.

Exit: session expires or removes redis

Server verification Token:

Sign+TimeStamp=Decode (Token) if (sign===MD5 ({session} + {user Information Summary} + {Timestamp}) {/ / XXXX} 3, server-to-server communication API Token

In conventional API Token systems, we often use short-term expired Token (except Oauth Token).

Usually, APIToken uses asymmetric encryption to generate token, but in world production, the key of Token will be simplified to simple salt parameters such as app_id,app_key. However, as long as the secret key is kept properly, Token can hardly be cracked.

Token generation algorithm / * * generate token * @ param $user_info string * @ param $app_key string app_key * @ param $app_id int app_id * @ return string * / public function generate_access_token ($user_info, $app_key, $app_id) {$time = time (); $sign = sha1 ($time. $advertiser_id. $app_key); $token = base64_encode ("{$time}, {$user_info}, {$app_id}, {$sign}"); / / the delimiter is recommended to be replaced with other characters return $token;}

Where app_key and app_id are a pair of public keys and private keys, unique and corresponding to each other. At the same time, app_key is generally saved as a private key. The general service system will provide the function to modify app_key to solve the problem that app_key is accidentally leaked.

Token decryption / * parse token * @ param $access_token * @ return array * / public function analysis_access_token ($access_token) {$token_array = base64_decode ($access_token); $token_array = explode (',', $token_array); / / the delimiter is determined by the Token generation algorithm $time = $token_array [0]; $user_info = $token_array [1] $app_id = $token_array [2]; / / exposed public key $sign = $token_array [3]; if ($time

(time () + 60) {/ / check time can be customized by call_back (1101, 'Access Token expire! token='. $access_token);} global $third_platform_app_key;// app_id-app_key corresponding table if (! isset ($third_platform_app_key [$app_id])) {call_back (1101, 'Access Token App id errorations to app_id'. $access_token);} $app_key = $third_platform_app_key [$app_id]; $local_sign = sha1 ($time. $user_info. $app_key) / / sign with private key Verify the validity of if ($local_sign = $sign) {return ['access_token' = > $access_token,' user_info' = > $user_info, 'time' = > $time,' app_id' = > $app_id, 'app_key' = > $app_key,] } else {call_back (1101, 'Access Token Sign erroneous tokenism'. $access_token);}}

This Token approach requires that each request needs to generate a new token to ensure the timeliness of the request.

In addition: in order to enhance the integrity of API API requests, we will also perform field sorting and summary verification on the request content. (for more information, please see https://open.taobao.com/docV2.htm?docId=101617&docType=1)

The above is what Token design is in API interface design. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.