. net webapi access authorization mechanism and process design (header token + redis)

background ：

1. Need to be in .net5 WebAPI Add access authorization mechanism to , That is, issue user credentials when logging in , Later, you need to access other interfaces through credentials , If the voucher is illegal , The interface cannot be accessed normally ;

2. Website embedded into winform The client , utilize winform You can get the client's mac Permission to address , take mac Address as part of permission , the mac Address and account are bound to realize that the account can only be used on the specified client computer ;

3. In order to prevent getting token Then use it on other clients , utilize IP binding token;

Realization ：

First, after successful login , Client side IP As encryption key,username（ Login account ）+guid+cpu The serial number encrypts the encrypted content , The encryption result is used as token The certificate is issued to the user ;

follow-up Api Access authorization filtering process ：

1.     Formal environment , First limit the source of the request , Such as http request header Medium referer, Check whether it is in the white list set by the system ; If not , Access denied ;

2.     secondly , stay header To take token, If you can't get it , Access denied ;

3.     Get the client IP, take IP Process as length 32 String （ Now it's time to get rid of non numbers , On the right 0 fill ）;

4.     take 32 Bit string as key Symmetric decryption token, If decryption fails, access is denied ;

5.     Decrypted string , The content format is ：username + "|" + guid+"|"+cpuid;guid As Redis Of key DE value , Can't get , Access denied ;

6.     from Redis Out of Value, The content format is ：username+"|"+keeplogin+"|"+cpuid;cpuid Is the name of the client where the account is logged in cpu Serial number

7.     use "_hw_" + username As key Go to Redis To take Value, If empty, access denied ;

8.     7 Taken in Value Bound for restricted account cpu Serial number , by ”all” Time means no limit , It can be accessed by the client at will ; Not for “all” when , Judge 7 in Value Does it include 6 in cpuid, If not included , Access denied ;

Visit the flowchart ：

Be careful ： The encryption method and content can be done according to the specific business restrictions , Here is just a list of boarding in winform Website in API Access authorization process ;