[wordpress插件] API Bearer AuthAPI承载身份验证

wordpress 插件 文章 2020-02-19 18:20 1277 0 全屏看文

AI助手支持GPT4.0

评分
0
描述

The API Bearer Auth plugin enables authentication for the REST API by using JWT access an refresh tokens.

API Bearer Auth插件通过使用JWT访问刷新令牌来启用REST API的身份验证。

After the user logs in, the access and refresh tokens are returned and can be used for the next requests.

用户登录后,将返回访问令牌和刷新令牌,这些令牌可用于下一个请求。

Issued tokens can be revoked from within the users admin screen.

可以从用户管理屏幕中吊销已发行的令牌。

See below for the endpoints.

有关端点,请参见下文。

Note that after activating this plugin, all REST API endpoints will need to be authenticated, unless the endpoint is whitelisted in the api_bearer_auth_unauthenticated_urls filter (see FAQ for how to use this filter).

请注意,激活此插件后,所有REST API端点都需要进行身份验证,除非该端点在 api_bearer_auth_unauthenticated_urls 过滤器中列入白名单(有关如何使用此过滤器,请参阅FAQ)。

JWT

JWT

Access tokens can be formatted as JWT tokens.

访问令牌可以格式化为JWT令牌。

For this to work, you first have to create a secret and add it to the wp-config.php file.

为此,您首先必须创建一个秘密并将其添加到wp-config.php文件中。

If you don’t do this, access tokens will work also, but are just random strings.

如果您不这样做,访问令牌也将起作用,但仅仅是随机字符串。

To create a random secret key, you can do for example:

要创建随机密钥,您可以执行以下操作:

base64_encode(openssl_random_pseudo_bytes(64));

  base64_encode(openssl_random_pseudo_bytes(64));

And then add the result to wp-config:

然后将结果添加到wp-config:

define('API_BEARER_JWT_SECRET', 'mysecretkey');

  define('API_BEARER_JWT_SECRET','mysecretkey');

If you have problems, you can verify your JWT tokens at: https://jwt.io/

如果遇到问题,可以在以下位置验证您的JWT令牌: https://jwt.io/

p>

>

Revoke tokens

吊销令牌

This plugin adds a column to the users table in de admin where you can see when a token expires.

此插件在de admin的users表中添加一列,您可以在其中查看令牌何时过期。

You can also revoke tokens by selection the “Revoke API tokens” from the bulk actions select box.

您还可以通过从批量操作选择框中选择“撤消API令牌”来撤消令牌。

API endpoints

API端点

Note that all endpoints expect JSON in the POST body.

请注意,所有端点在POST正文中期望JSON

Login

登录

Endpoint:

端点:

POST /api-bearer-auth/v1/login

  POST / api-bearer-auth / v1 / login

Request body:

请求正文:

{"username": "my_username", "password": "my_password"}

  {“用户名”:“ my_username”,“密码”:“ my_password”}

Response:

响应:

{  

  {  

"wp_user": {    

“ wp_user”:{    

"data": {      

“数据”:{      

"ID": 1,      

“ ID”:1      

"user_login": "your_user_login",      

“ user_login”:“您的用户名”,      

// other default WordPress user fields    

//其他默认的WordPress用户字段    

}  

}  

},  

},  

"access_token": "your_access_token",  

“ access_token”:“您的access_token”,  

"expires_in": 86400, // number of seconds  

“ expires_in”:86400,//秒数  

"refresh_token": "your_refresh_token"

“ refresh_token”:“您的refresh_token”

}

}

Make sure to save the access and refresh token!

确保保存访问和刷新令牌!

Refresh access token

刷新访问令牌

Endpoint:

端点:

POST /api-bearer-auth/v1/tokensefresh

  POST / api-bearer-auth / v1 / tokens / refresh

Request body:

请求正文:

{"token": "your_refresh_token"}

  {“ token”:“ your_refresh_token”}

Response success:

响应成功:

{  

  {  

"access_token": "your_new_access_token",  

“ access_token”:“您的new_access_token”,  

"expires_in": 86400

“ expires_in”:86400

}

}

Response when sending a wrong refresh token is a 401:

发送错误的刷新令牌时的响应是401:

{  

  {  

"code": "api_api_bearer_auth_error_invalid_token",  

“ code”:“ api_api_bearer_auth_error_invalid_token”,  

"message": "Invalid token.",  

“ message”:“无效的令牌。”,  

"data": {    

“数据”:{    

"status": 401  

“状态”:401  

}

}

}

}

Do a request

提出请求

After you have the access token, you can make requests to authenticated endpoints with an Authorization header like this:

获得访问令牌后,您可以使用以下Authorization标头向经过身份验证的端点发出请求:

Authorization: Bearer 

 授权:承载

Note that Apache sometimes strips out the Authorization header.

请注意,Apache有时会剥离Authorization标头。

If this is the case, make sure to add this to the .htaccess file:

如果是这种情况,请确保将其添加到.htaccess文件中:

RewriteCond %{HTTP:Authorization} ^(.*)

  RewriteCond%{HTTP:Authorization} ^(。*)

# Don't know why, but some need the line below instead of the RewriteRule line

#不知道为什么,但是有些人需要下面的行而不是RewriteRule行

# SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

#SetEnvIf授权。+ HTTP_AUTHORIZATION = $ 0

RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]

RewriteRule ^(。*)-[E = HTTP_AUTHORIZATION:%1]

If you are not logged in or you send an invalid access token, you get a 401 response:

如果您未登录或发送了无效的访问令牌,则会收到401响应:

{  

  {  

"code": "api_bearer_auth_not_logged_in",  

“ code”:“ api_bearer_auth_not_logged_in”,  

"message": "You are not logged in.",  

“ message”:“您尚未登录。”,  

"data": {    

“数据”:{    

"status": 401  

“状态”:401  

}

}

}

}

安装步骤

    1. Upload the plugin files to the /wp-content/plugins/api-bearer-auth directory, or install the plugin through the WordPress plugins screen directly.
    2. 将插件文件上传到 / wp-content / plugins / api-bearer-auth 目录,或直接通过WordPress插件屏幕安装插件。

    3. If you want your access tokens to be formatted as JWT tokens, define a random string as a API_BEARER_JWT_SECRET define in your wp-config.php file.
    4. 如果要将访问令牌格式化为JWT令牌,请在wp-config.php文件中将随机字符串定义为 API_BEARER_JWT_SECRET 定义。

    5. Activate the plugin through the ‘Plugins’ screen in WordPress.
    6. 通过WordPress中的“插件”屏幕激活插件。

    7. From now on, every REST API endpoint needs to be authenticated.
    8. 从现在开始,每个REST API端点都需要进行身份验证。

下载地址
https://downloads.wordpress.org/plugin/api-bearer-auth.zip
-EOF-

AI助手支持GPT4.0