kynx/api-key-generator 问题修复 & 功能扩展

解决BUG、新增功能、兼容多环境部署,快速响应你的开发需求

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

kynx/api-key-generator

Composer 安装命令:

composer require kynx/api-key-generator

包简介

Generate and parse well-formed API keys

README 文档

README

Build Status

Generate and parse well-formed API keys.

Introduction

API keys are a common way to authenticate users accessing an API. While there isn't a standard saying how they should be constructed, there are some best practices.

An API key should:

  • Be secure (OK, that's a little obvious...)
  • Not leak any details about the user identity it is tied to
  • Be easy to store securely and validate against a persistence layer
  • Be traceable in case some idiot checks one into VCS - for instance, using GitHub's Secret Scanning
  • Provide a way to quickly reject obviously malformed keys without hitting the persistence layer
  • Contain human-readable information so end users / support can easily see if they are using the right key
  • Be easy to copy-and-paste from a UI into the consuming application

This library helps with this, providing an ApiKeyGenerator for generating and parsing keys, and an ApiKey object for working with the keys themselves. It does not provide help with storing and verifying the keys - tha part is up to you.

Installation

composer require kynx/api-key-generator

Usage

Generating a key

use Kynx\ApiKey\KeyGenerator;

require 'vendor/autoload.php';

$generator = new KeyGenerator('xyz_sandbox');
$apiKey    = $generator->generate();
echo $apiKey->getKey() . "\n";

This will output something like:

xyz_sandbox_miWh6l3ftyzi9TRmpZeJ4nU3LpBF5T37FguT1p4y_dab13e9d

See the examples directory for code showing how to modify the key strength, change the characters used, etc.

Parsing a key

use Kynx\ApiKey\KeyGenerator;

require 'vendor/autoload.php';

$generator = new KeyGenerator('xyz_sandbox');
$apiKey    = $generator->parse('xyz_sandbox_miWh6l3ftyzi9TRmpZeJ4nU3LpBF5T37FguT1p4y_dab13e9d');
if ($apiKey === null) {
    echo "Invalid key!\n";
} else {
    echo "Identifier : " . $apiKey->getIdentifier() . "\n";
    echo "Secret     : " . $apiKey->getSecret() . "\n";
}

Since the key is well-formed, this will output:

Identifier : miWh6l3f
Secret     : tyzi9TRmpZeJ4nU3LpBF5T37FguT1p4y

Now make a random change to the key. The parse() method will return null and you will see theInvalid key! message.

Note: Just because a key is well-formed does not mean the user can be authenticated. It just means it looks like it was generated by you. You must still verify the key against your persistent storage.

Handling old keys

What happens if you change the prefix for your key, or want to increase the secret strength (see below)? You will want to issue all new keys with the updated settings, but will still need to parse old keys.

This is what the KeyGeneratorChain is for:

use Kynx\ApiKey\KeyGenerator;
use Kynx\ApiKey\KeyGeneratorChain;

require '../vendor/autoload.php';

$newPrefix = 'abc_sandbox';
$oldPrefix = 'xyz_sandbox';

$primary  = new KeyGenerator($newPrefix);
$fallback = new KeyGenerator($oldPrefix);
$chain    = new KeyGeneratorChain($primary, $fallback);

$oldKey = $chain->parse('xyz_sandbox_miWh6l3ftyzi9TRmpZeJ4nU3LpBF5T37FguT1p4y_dab13e9d');
if ($oldKey !== null) {
    echo "Old key parsed\n";
}

$newKey = $chain->parse('abc_sandbox_miWh6l3ftyzi9TRmpZeJ4nU3LpBF5T37FguT1p4y_dab13e9d');
if ($newKey !== null) {
    echo "New key parsed\n";
}

New keys will always be generated by the $primary KeyGenerator. When parsing, the $primary will be tried first. If it returns null, each of the $fallback KeyGenerators will be tried in turn, with the first successful parse result returned, or null if none match. See parse-chain for a more complete example.

API Key Structure

You will notice in the examples above that the generated key is composed of three parts separated by underscores. They are:

<prefix>_<identifier><secret>_<checksum>

Prefix

The prefix is always what you passed as the first argument passed to the KeyGenerator constructor. It is there to make your key easy to recognise, both to end users and to secret scanners that find leaked keys in the wild. In the examples we've used a company identifier (xyz) plus a string indicating whether it's for use in our production or sandbox environments. If you've ever integrated with Stripe you will be familiar with this pattern, but you are free to use whatever format makes sense.

Identifier

The identifier is a random string that can be used to look up the secret in a database. Store this un-hashed in a case-sensitive column (for example, VARBINARY in MySQL) and put a unique constraint on it. The generated identifiers are not guaranteed to be unique, so when inserting into the database your should be prepared to catch the constraint violation, generate a new key and re-try. See store-and-authenticate for an example.

Secret

The secret part provides the security. This must be hashed (using PHP's password_hash()) before storing. See the store-and-authenticate example code if you are unsure how to do this.

Checksum

Finally the checksum is a crc32b hash of the rest of the key. It is there to quickly filter out garbage hitting your API, without needing to bother your persistence layer. Just because it matches does not mean the user can be authenticated! You still need to check the identifier and secret against what you stored when the key was generated.

Defaults

By default the identifier is 8 characters long. With the default characters this gives pow(59, 8) - 1 combinations. Even with millions of keys in storage the risk of collisions is tiny. Given that API keys are only really suitable for organisation-level access control, this should be plenty. But if needed you can increase it.

By default the secret is 32 characters long. You can improve the security of your API by increasing this. See the generate-secure example.

By default the generated part of the key is composed of the characters [a-zA-Z0-9_]. You should ensure your prefix is too: this makes it easy to copy it from your key management console. Try double-clicking on xyz-sandbox_Pu!Lo&jP_N22/Oh5hz48h4.QM_e07f9ca3 to see what happens when other characters are present. If you want more entropy, make your secret longer.

Upgrading

1.x -> 2.x

In 1.x the default secret key length was 16 characters. Much as I hate BC breaks, this was too low for a library advocating best practice. In 2.x the default is 32 and the minimum is 24. I think it is better to fix this mistake early.

To upgrade without breaking existing keys you will need to use the KeyGeneratorChain along with a BC generator for parsing the old keys:

use Kynx\ApiKey\BcKeyGenerator;
use Kynx\ApiKey\KeyGenerator;
use Kynx\ApiKey\KeyGeneratorChain;

require 'vendor/autoload.php';

$primary  = new KeyGenerator('xyz_sandbox');
$fallback = new BcKeyGenerator('xyz_sandbox');
$chain    = new KeyGeneratorChain($primary, $fallback);

$newKey = $chain->generate(); // get a new 2.x key
$oldKey = $chain->parse('xyz_sandbox_PudLoQjP_N227Oh5hz48h4FQM_e07f9ca3'); // 1.x key still parsed

The BcKeyGenerator cannot be used for generating new keys, only for parsing old ones. It and the associated BcApiKey are deprecated will be dropped in version 3.x.

Further reading

kynx/api-key-generator 适用场景与选型建议

kynx/api-key-generator 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 3.55k 次下载、GitHub Stars 达 2, 最近一次更新时间为 2023 年 07 月 21 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「security」 「api」 「Authentication」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 kynx/api-key-generator 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 kynx/api-key-generator 我们能提供哪些服务?
定制开发 / 二次开发

基于 kynx/api-key-generator 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 3.55k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 2
  • 点击次数: 11
  • 依赖项目数: 1
  • 推荐数: 0

GitHub 信息

  • Stars: 2
  • Watchers: 1
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: BSD-3-Clause
  • 更新时间: 2023-07-21