Reference article: https: //blog.csdn.net/qq_33472765/article/details/81913627
Case 0000001
interface call request Description:
https request method: GET (using the https protocol)
CSRF = False
CSRF (Cross-Site Request Forgery Cross Station request forgery) question, get a request does not affect, post you need csrf certification
CSRF (cross-site request forgery)
CSRF English called cross Site request forgery
CSRF usually refers to a malicious attacker usurping the name of the user sending malicious requests, severe leakage of personal information hazard property security
@ http.route ( '/ FORUM / get_url_title', of the type = 'json', auth = "public", Methods = [ 'POST'], Website = True)
DEF get_url_title (Self, ** kwargs):
the try :
REQ = requests.get (kwargs.get ( 'URL'))
req.raise_for_status ()
Arch = lxml.html.fromstring (req.content)
return arch.find ( ".// title") text.
the except IOError:
return False
Response data format: json
response data example:
{
"Data": ODOO_DATA
"Result": {
"other_field": []
"State": TRUE
}
}
each other by:
http://127.0.0.1:8069//forum/get_url_title json data transfer over:
II. case 2: send data to other systems [Executive function]
1. call service interfaces to other systems do:
case 0002: query data case:
step 1: make a unified login function: a: username , b: password, c: key automatically generated key []
step 2: incoming query parameters: service call interface function executes the query: [defined the format of the data returned from the server json]
step 3: good query data analysis: in the present system re_data = json.dumps (test_data) is stored
"" "
#rest with SOAP and XML-RPC
specific description:
"" "API interface development Summary:
What is the interface
the interface is nothing more than the client interface address your request and pass a bunch of the interface defined parameters, through the interface of its own logic, a good agreement to return the interface data and the corresponding data format of
how interface development
interfaces due to the nature itself, due to the butt and partner data, the following points need attention during development:
define the interface to the Senate: Writing an interface document
defines the interface returns the data type: generally packaged as required a format, determine the return xml json or other packet
# a, where 1: receiving transmitted data coming from other systems: general data format with http format json form
1. GET, POST, PUT, DELETE request these types mode
request mode may be said to be an operation, data transmission, we usually form in the web are GET, POST two kinds, in HTTP, the presence of these types of hair.
the GET (selection): obtaining from the server a particular resource or a resource list.
POST (create): Creates a new resource on the server.
PUT (update): the whole One way to update the resource on the server
PATCH (update): update only one attribute of a resource on the server.
DELETE (delete): deletes a resource on the server.
Hash get a resource meta-data, such as data: HEAD value or last updated.
the OPTIONS:. get information about what the client can do operations on resources
common request parameters
such as in too much data, the need for data paging request, we should be unified API request parameters are common. these.
limit specified number of records returned = 10
offset = 10 returns the specified recording start position.
page = 2 & per_page = 100 is specified, and the number of records per the first few pages.
sortby = name & order = asc specified return results sorted according to the sort order and which property.
animal_type_id = 1 specified filters
3.json data type
interface generally JSON format data transmission, however, be noted that the value of JSON only six data types:
Number The: integer or floating point number
String: String
Boolean: or true to false
the array: an array enclosed in square brackets []
Object: Object contained in curly braces} {
null: empty type
4. return data structure
the data structure returned by the server, typically:
{
code: 0,
Message: " S ",
Data: {key1: VALUE1, key2: value2, ...}
}
code: return code, 0 on success, nonzero various errors
when success", error description, when success: message " is error
data: data returned success, or an array of objects of the type
Define different needs of different error return code belongs Error and server clients have to distinguish, for example, 1XX represents a client error, 2XX represents the server-side error. Here are some examples:
0: Success
100: Request Error
101: Missing AppKey
102: missing signatures
103: Missing parameter
200: Server Error
201: Service Unavailable
202: The server is restarted
5. SSL (https) to provide the URL
is first , it may be a multi-layer encrypted using https packets when crawled. APP use environment we are now mostly in the router WIFI environment, once the router been hacked, the hacker can easily crawl to the user through the router data transmission, if you are using unencrypted http, then the hacker can easily user access to information, and even account information.
Secondly, even if the use https, but also in the design of API data transfer, correct encryption. For example, directly to the token information in the URL of the practice, even if you use https, hackers can not find your specific data transmission, but can be caught URL you requested ah! (Check the information of, https using GET method request, it can only caught part of the domain name characters, the requested data can not be caught,
but the URL can be seen directly in the browser or special client tools. Thanks for following error correction friend ) Thus, when using the https request, to use the POST, or PUT HEAD way transmission of necessary data.
6.TOKEN
Now, most have adopted App interface RESTful architecture, RESTFul of the most important design principle is that the client and server interaction between a request is stateless, that is, when it comes to user state, each request should be put on the authentication information. The realization, most have adopted authentication token, the general process is:
After a successful user login password, the server returns a token to the client;
the client will be token stored locally initiated subsequent related requests, the token is sent back to server;
the validity of the server checks the token, the effective return of the data, if valid, are two cases:
token error, then requires the user to log in again for the correct token
token expires, then the client needs to re-launch a certification request, get a new token
, however, there is a security problem with this authentication method: when the login interface is hijacked, hackers get into the user's password and token, you can follow-up to the user to do anything. Only users modify the password to regain control.
How to optimize it? The first solution is to use HTTPS. HTTPS HTTP on the basis of adding the SSL security protocol, the data is automatically compressed encrypted, some programs can prevent monitor, prevent hijacking, prevent retransmission, security can improve a lot. However, SSL is not absolutely safe, there could be hijacked. In addition, the server is configured for HTTPS is relatively little complicated, but also need to apply for CA certificate, but in general or for a fee. Moreover, HTTPS efficiency is relatively low. Generally, only the higher security requirements of the system will adopt HTTPS, such as banks. Most of the safety requirements and is not so high in the App or the use of HTTP.
Our current practice is to add a signature to each interface. Client is assigned to a key, each time a request interface, all parameters and key combination of the source string to generate a signature value according to the signature algorithm, the signature is transmitted together with a request to send authentication server. Similar reference signature algorithm can achieve the OAuth1.0. In this way, hackers do not know the key, do not know the signature algorithm, even if the interception to the login interface to subsequent requests can not be a successful operation. However, because the signature algorithm is relatively cumbersome and prone to error, only for the internal interface. If you belong to an open interface API, is less suited to this way of signature verification, it was suggested to use the authentication mechanism OAuth2.0.
We assign to each end of a AppKey, such as Android, iOS, three-terminal micro-channel, each end respectively assigned a key and a AppKey. The request will not pass appKey error, passed the wrong appKey request will be given. Thus, the safety and adds a layer of defense, but also convenient to do something different treatment strategies for different ends.
In addition, more and more App canceled the password, and use the phone number + login verification code SMS, I also used this login in the current project. This login has several advantages:
no registration, no need to modify the password, do not need to forget the password to reset the password of the operation;
users no longer need to remember your password, the password is not afraid of leakage problem;
relative password security to its significantly increased.
7. The user design
explicit and implicit user user, I do not know whether these two words with exact.
Explicitly refers to the user, APP program users system, a username, password correct legitimate users, called explicit user,
usually explicit user need to register, log in later to complete some personal related operations.
Implicitly refers to the user, APP program itself without the user system, or in the absence of a login, use our APP's users.
In this case, a user may be identified by the client UDID generated.
With user information, we will be able to understand the different user habits, rather than an overall statistics for all users,
then these individuals with information, users can do some clustering, things like personalized recommendations .
If SAAS version, also need to distinguish between different business users
8. good interface documentation and testing program
interface documentation sometimes early in the project to settle down, the front and rear ends of the developer according to the interface specification development,
some interface development after the completion of writing .
Interface document to be clear and precise, the number of interfaces comprising, address, per interface, the request method, a data exchange format, so the return value to write clearly.
Interface testing procedures, able to do so, you can provide, the front and rear ends to facilitate debugging.
If springMVC development, you can use swagger, the back end just add a few comments send a url to the front end on it, easy and efficient.
9. Interface statistics
on the PC side to do the site, we will add to our site statistical functions, or write your own statistical systems, or use a third party such as GA, Baidu and so on.
Mobile end interface (API) will need to achieve our own statistical functions,
then you need to collect as much information about our clients, in addition to the traditional IP, User-Agent, we should also collected some mobile-related information,
such as
mobile phone operating system is android or ios, what are the version,
the user's network status is 2G, 3G, 4G or WIFI
client APP what version information.
This helps us to better understand our user's