I'm currently building a Google Cloud Endpoints backend with the endpoints-proto-datastore library, and am running into trouble requiring an apikey when you request a user. Once a user logs in, they receive an APIkey which they send back for successive puts (which works) but how do I require the username/email and apikey on a GET ? Currently if a user does a get like so:
我目前正在使用endpoints-proto-datastore库构建Google Cloud Endpoints后端,并且在您请求用户时遇到需要apikey的麻烦。一旦用户登录,他们就会收到一个API密钥,他们会发送这些密钥以进行连续的投放(有效),但我如何在GET上要求用户名/电子邮件和apikey?目前,如果用户做了这样的事情:
@User.method(request_fields=('id', 'apiToken',), path='users', http_method='GET', name='user.get')
def user_get(self, query):
return query
The user is pulled from the datastore because the ID is correct, and it completely ignores the apiToken. How do I require both fields? (on a different note, how do I send back the user's ID on a request?)
用户从数据存储区中拉出,因为ID正确,并且它完全忽略了apiToken。我如何要求这两个字段? (另一方面,如何在请求中发回用户的ID?)
2 个解决方案
#1
1
If you are implementing your own API key scheme, as your code suggests, then you need to manually check if the API key is valid or not yourself.
如果您正在实现自己的API密钥方案,如代码所示,那么您需要手动检查API密钥是否有效。
Your example looks like the one from the 'basic' example, and you've added parameters as per the 'simple_get' example. For some background, the docs in the 'simple_get' example mention that 'id' is one of five special helper properties automatically defined by EndpointsModel for common operations like retrieving by id. This is why your code works automatically without you doing anything 'special' with the 'id' parameter. The example still checks though that the entity exists if you try to get it:
您的示例看起来像是“基本”示例中的示例,并且您已根据“simple_get”示例添加了参数。对于某些背景,'simple_get'示例中的文档提到'id'是由EndpointsModel自动定义的五个特殊帮助器属性之一,用于常见操作,例如通过id检索。这就是为什么你的代码自动运行而不用'id'参数做任何'特殊'的事情。如果您尝试获取该实例,该示例仍会检查该实体是否存在:
if not my_model.from_datastore:
raise endpoints.NotFoundException('MyModel not found.')
Since there's no special helper property for your 'apiKey' field, you need to add your own code in the method to check if the key is valid and return a 401 or suitable error if it's not. Another option is to also utilize some of Google's built-in authentication as per the 'basic_with_auth' example.
由于“apiKey”字段没有特殊的帮助器属性,因此您需要在方法中添加自己的代码以检查密钥是否有效并返回401或合适的错误(如果不是)。另一种选择是根据'basic_with_auth'示例使用Google的一些内置身份验证。
Finally, since endpoints-proto-datastore is just syntactic sugar for the main endpoints library, you'll want to read the full documentation on that for more information on things like how to return values from your endpoints methods.
最后,由于endpoints-proto-datastore只是主要端点库的语法糖,因此您需要阅读有关该端点库的完整文档,以获取有关如何从端点方法返回值的更多信息。
#2
1
The easiest way I found to do this is:
我发现这样做最简单的方法是:
@User.method(request_fields=('id', 'apiToken',), path='users', http_method='GET', name='user.get')
def user_get(self, user_model):
user = ndb.Key('User', int(user_model.id)).get()
if user.apiToken != user_model.apiToken:
raise endpoints.UnauthorizedException('You are not authorized to view this data')
return user.clean()
The user_model will have the userId and the apiToken stored in it, so I pull the "real" data from ndb with the key and check if the user_model has the correct token and return the model if it is correct, if not, I refuse
user_model将有userId和apiToken存储在其中,所以我用密钥从ndb中提取“真实”数据并检查user_model是否具有正确的令牌并返回模型是否正确,如果不正确,我拒绝
#1
1
If you are implementing your own API key scheme, as your code suggests, then you need to manually check if the API key is valid or not yourself.
如果您正在实现自己的API密钥方案,如代码所示,那么您需要手动检查API密钥是否有效。
Your example looks like the one from the 'basic' example, and you've added parameters as per the 'simple_get' example. For some background, the docs in the 'simple_get' example mention that 'id' is one of five special helper properties automatically defined by EndpointsModel for common operations like retrieving by id. This is why your code works automatically without you doing anything 'special' with the 'id' parameter. The example still checks though that the entity exists if you try to get it:
您的示例看起来像是“基本”示例中的示例,并且您已根据“simple_get”示例添加了参数。对于某些背景,'simple_get'示例中的文档提到'id'是由EndpointsModel自动定义的五个特殊帮助器属性之一,用于常见操作,例如通过id检索。这就是为什么你的代码自动运行而不用'id'参数做任何'特殊'的事情。如果您尝试获取该实例,该示例仍会检查该实体是否存在:
if not my_model.from_datastore:
raise endpoints.NotFoundException('MyModel not found.')
Since there's no special helper property for your 'apiKey' field, you need to add your own code in the method to check if the key is valid and return a 401 or suitable error if it's not. Another option is to also utilize some of Google's built-in authentication as per the 'basic_with_auth' example.
由于“apiKey”字段没有特殊的帮助器属性,因此您需要在方法中添加自己的代码以检查密钥是否有效并返回401或合适的错误(如果不是)。另一种选择是根据'basic_with_auth'示例使用Google的一些内置身份验证。
Finally, since endpoints-proto-datastore is just syntactic sugar for the main endpoints library, you'll want to read the full documentation on that for more information on things like how to return values from your endpoints methods.
最后,由于endpoints-proto-datastore只是主要端点库的语法糖,因此您需要阅读有关该端点库的完整文档,以获取有关如何从端点方法返回值的更多信息。
#2
1
The easiest way I found to do this is:
我发现这样做最简单的方法是:
@User.method(request_fields=('id', 'apiToken',), path='users', http_method='GET', name='user.get')
def user_get(self, user_model):
user = ndb.Key('User', int(user_model.id)).get()
if user.apiToken != user_model.apiToken:
raise endpoints.UnauthorizedException('You are not authorized to view this data')
return user.clean()
The user_model will have the userId and the apiToken stored in it, so I pull the "real" data from ndb with the key and check if the user_model has the correct token and return the model if it is correct, if not, I refuse
user_model将有userId和apiToken存储在其中,所以我用密钥从ndb中提取“真实”数据并检查user_model是否具有正确的令牌并返回模型是否正确,如果不正确,我拒绝