在GAE上使用Go Rest API

huangapple go评论92阅读模式
英文:

Go Rest API on GAE

问题

我对Go语言还不太熟悉,我想在GAE上构建一个没有视图,只有简单JSON Rest API的CRUD rest API。

有很多框架可供选择,比如go-http-routing-benchmark

但我不确定哪个框架最适合在GAE上使用。

我主要关注如何处理安全的会话。

英文:

I'm pretty new to go and I want to build a CRUD rest API on GAE without views just simple JSON Rest API.

There is allot of frameworks out there,
go-http-routing-benchmark.

But I'm not sure which one will be most suitable for GAE.

My main concern is how to handle a safe and secure session .

答案1

得分: 2

如评论中所提到的,你可以从Go标准库开始,只有在标准库无法满足你的需求时(你可能永远不会达到这个点)才使用第三方库。

如果你的客户端不是浏览器(你说你不想要任何视图),而是任意其他的HTTP客户端,那么HTTP会话可能不是你想要的。HTTP会话通常通过在HTTP cookie中存储会话ID来管理,浏览器会自动在每个HTTP请求中发送该cookie,服务器端会读取该会话ID并查找关联的服务器端数据结构。

一个常见的解决方案是使用某种被称为“密钥”或“API密钥”的“秘密信息”。其思想是,如果你想要授予某人访问权限,你在服务器端生成一个“秘密密钥”(例如一个随机文本),并将其存储在数据库中。然后将该密钥发送给客户端,客户端必须在每个API请求中附加该密钥。在服务器端,在每个API请求的开始处,你可以检查提供的API密钥是否有效(这也可以识别调用者),并相应地采取行动。

API密钥可以以各种方式由客户端发送,例如作为URL参数(强烈不推荐用于不安全的HTTP请求,但对于HTTPS请求来说是完全可以的),作为HTTP头字段或作为请求数据结构的一部分。这完全取决于你的期望,通常取决于请求的形式(例如,如果请求不包含任何数据,最好将密钥放在头部或URL参数中;如果期望客户端发送其他复杂数据,可以将API密钥方便地包含在JSON数据中)。

英文:

As mentioned in a comment, you can start with the Go standard library, and only utilize 3rd party libs if you reach a point when the standard library is not sufficient for you (which point you may never reach).

If your clients are not browsers (you said you don't want any views) but any other arbitrary HTTP clients, an HTTP session may not be what you want. An HTTP session is usually managed by storing a session ID in an HTTP cookie which is automatically sent by the browser along with each HTTP request, and at the server side this session ID is read and an associated, server side data structue is looked up by it.

A common solution is to use some kind of secret information referred to as a key or API key. The idea is that if you want to grant access to someone, you generate a secret key (e.g. a random text) at server side which you store in the database. You send this key to the client who has to attach this to every API request he makes. At server side in the beginning of each API request you can check if the provided API key is valid (this also identifies the caller) and act accordingly.

The API key can be sent in various ways by the clients, e.g. as a URL parameter (strongly not recommended for unsecure HTTP requests but is perfectly fine for HTTPS requests), as an HTTP header field or as part of the request data structure. It is really up to you how you expect it, usually depends on how the requests look like (e.g. if they don't include any data, it's better to put the KEY in a header or URL parameter; if the clients are expected to send other, complex data which can be in the form of JSON text, it can be convenient to also include the API key in the JSON data too).

huangapple
  • 本文由 发表于 2015年3月1日 16:52:56
  • 转载请务必保留本文链接:https://go.coder-hub.com/28791692.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定