π A Simple API Gateway for Building Security and Flexible Microservices.
fomalhaut is an api gateway acts as the frontend and api router for numerous backend json api servers.
This project is still in development, api may change anytime. If you want to use it, fix what you need.
API is connected to the App and the server database of the bridges, in the App and various API after for these API management and protection brings a series of problems.For example:
Thus, it is with fomalhaut this project.
Supported Python versions: 2.7, 3.3, 3.4, 3.5, 3.6 pypy, pypy3
You need to install Redis first, the corresponding dependency package can be installed by the following command:
pip install -r requirements.txt
## Valid time of access signature, seconds
SIGNATURE_EXPIRE_SECONDS = 3600
HOST = '127.0.0.1'
PORT = 6500
# Is the debug mode
DEBUG = False
# Redis configuration
REDIS_HOST = '127.0.0.1'
REDIS_PORT = 6379
REDIS_DB = 0
REDIS_PASSWORD = 'your_password'
Run
python -m fomalhaut.runserver --port=6500
This is a gateway to the JSON API, which actually works regardless of what is being transferred behind the protected API, except that the gateway will return an error message to the JSON data if something goes wrong. In the design of the torngas middleware mode. Currently only the GET
and POST
methods are supported.
As with most cloud applications, each Client will be assigned a pair of access_key
and secret_key
.access_key
is used to uniquely identify the Client,secret_key
is used to perform HMAC signature and AES encryption.Both the URL of the API request and the Body data are signed by secret_key
, and the signature of the data is verified bidirectionally to ensure that the request and the returned data are not tampered with.The signature method uses the HMAC-SHA256.
In order to distinguish the gateway level when there is an error in the implementation of the return data, or behind the real API to provide services to return data, define a special status code 949
, if the status code is 949, then the gateway returns.
Although HTTPS is popular in most sites, but if you still can only use HTTP, or there is a middleman attack, there is a risk of data content leakage,thus providing AES encryption function, you can transfer data URL, Headers, Body are encrypted, AES encryption is optional.
There are cases where some APIs need to be logged in before they can be accessed, and others do not.fomalhaut has built-in Auth Endpoint (endpoint_name: auth, version: v1) and includes three APIs:
/auth/v1/login/
Login/auth/v1/token/refresh/
get new access_token
with `refresh_token'/auth/v1/token/alive/
check access_token
is valid/account/v1/logout/
logout/account/v1/password/change/
Change PasswordFor APIs that require login, you need to first access /auth/v1/login/
to get access_token
, the data returned is as follows:
{
"code": 200,
"msg": "",
"data": {
"access_token": "abcd",
"refersh_token": "efgh",
"expires_in": 168000,
"user_info": {
}
}
}
expires_in
: access_token
will expire after many secondsrefresh_token
: when access_token
expires, it is used to get the new access_token
user_info
: user information returned by the Auth API/auth/v1/login/
API will check whether the submitted login information is correct according to the configured Auth API, if the login is correct Auth API returns the user information.
/auth/v1/token/refresh/
API used to fetch new access_token
, submitted dataοΌ
{
"refersh_token": "efgh"
}
Later access requires login to access the API in the url with access_token, for example:
http://api.example.com/api-name/v1/?access_token=abcd
API Gateway will use this access_token
to verify the validity of the access_token
in redis when accessing the APIs that need to be logged in, and obtain the user's information.The user information is then stored in Headers and passed to the backend API with X-User-Json
.The data stored in this Header is base64 encoded data of the JSON string of user_info.
The built-in Endpoint needs to be configured in the console api-gateway-dashboard
To speed things up, the access logs generated by fomalhaut are temporarily stored in the list in Redis, and a Celery scheduled task is configured in the api-gateway-dashboard project that automatically migrates the access logs to MongoDB.Therefore, these Celery tasks must be run at the same time, in order to ensure the normal operation of fomalhaut.
For more information about how to run these Celery background tasks, see [api-gateway-dashboard] (https://github.com/restran/api-gateway-dashboard) of the relevant documents.
access_token
access_token
APIaccess_token
and refresh_token
to be invalidated