我正在构建一个全栈移动应用程序,使用 Appwrite 进行身份验证和后端服务。前端与一个自定义 API 网关通信,该网关将请求代理到各个微服务。
目前,我正在使用 Appwrite 的 account.createJWT() 来验证用户身份,但 JWT 令牌每 15 分钟就会过期一次。频繁刷新令牌对于我的应用程序来说不可扩展,尤其是在用户群增长的情况下。因此,我正在尝试使用会话验证来代替 JWT。
我面临的问题是:如何使用 Appwrite 会话正确地验证对 API 网关的前端请求?
环境详情:
Backend API gateway is built with FastAPI
Appwrite version: cloud
Frontend framework: React Native
我的问题是:
What is the correct way to validate Appwrite user sessions from a backend service (API gateway) without using the frontend SDKs?
Is it possible to securely authenticate frontend requests to a custom backend using only Appwrite sessions (without using short-lived JWTs)?
If not, what would be the best scalable approach for authenticating requests in this setup?
任何建议、推荐流程或示例都将不胜感激!
以下是我尝试过的方法:
I retrieve the user session on the frontend (account.get() gives me session info).
I send the session ID (or the Appwrite cookie) along with API requests to my gateway.
On the backend (in the API gateway), I try to validate the session by using the Appwrite Server SDK (account.getSession(sessionId)).
However, sometimes I get errors like:
Unauthorized: User is missing "account" scope.