Username and Passwords
This is the most common method of identifying users in the age of Software as a Service (SaaS)
解释上面的图中的步骤:
Login Request:
POST /login
postuser = {
username: 'users',
password: 'pws'
}
Find users:
SELECT * FROM database_example
WHERE 'username' = postuser.username
Return to API Server
dbuser = {
username: 'users',
userdata: 'users_data',
password: 'pws'
}
Compare Password:
postuser.password == dbuser.password
Return Response:
# if passwords match
Response 200 status code
# if passwords don't match
Response 401 status code
HTTP Status Codes
-
401 Unauthorized
The client must pass authentication before access to this resource is granted. The server cannot validate the identity of the requested parts. -
403 Forbidden
The client does not have permission to access the resource. Unlike 401, the server knows who is making the request, but that requesting party has no authorization to access the resource.
Even though passwords are by far the most common way of authenticating, they come with a load of problems. Some issues with passwords are outside of our control as developers. Many issues come from user behavior that developers cannot directly influence, such as:
- Users forget their passwords
- Users use simple passwords
- Users use common passwords
- Users repeat passwords
- Users share passwords
In contrast, some issues are within control as developers:
- Passwords can be compromised
- Developers can incorrectly check
- Developers can cut corners