简体繁体 English

使用PhoneGap / Cordova时应用与服务器之间通信的最佳实践

[英]Best practice for communication between app and server when using PhoneGap/Cordova

原文 2014-07-27 14:31:04 1 1 javascript/ ios/ ajax/ angularjs/ request

I'm working on a PhoneGap project using Ionic. 我正在使用Ionic进行PhoneGap项目。 It's basically a chat app, so I need the user to be able to register, login and send messages using a backend API on my server. 它基本上是一个聊天应用程序，因此我需要用户能够使用服务器上的后端API进行注册，登录和发送消息。 Naturally this needs to be secure, so I'm wondering what the best way to securely communicate with an API endpoint is, when using a AngularJS and PhoneGap. 自然，这需要安全，因此我想知道使用AngularJS和PhoneGap时与API端点安全通信的最佳方法是什么。

Ideally, it should not require a server cert, as currently I don't have the funds to purchase one. 理想情况下，它不需要服务器证书，因为目前我没有购买证书。 In previous projects, I used a method where each account was assigned an ID, and a hash consisting of a secret + their ID, which had to be included with each request to ensure that the user couldn't forge requests from another ID, however I don't know how secure this method is. 在以前的项目中，我使用了一种方法，其中为每个帐户分配了一个ID，以及一个由机密及其ID组成的哈希，每个请求都必须包含该哈希，以确保用户不能伪造来自另一个ID的请求。我不知道这种方法的安全性。

Any tips, suggestions or read material would be really appreciated. 任何提示，建议或阅读材料将不胜感激。 I understand this question sounds subjective, so if possible please answer based on facts, security disclosures and any documentation on methods. 我知道这个问题听起来很主观，因此，如果可能，请根据事实，安全性披露以及有关方法的任何文档进行回答。

1 个解决方案

I know the solution to all your needs and it is called Firebase . 我知道可以满足您所有需求的解决方案，它称为Firebase 。

How your requirements will be met by firebase: 1. You are using Ionic to build your hybrid app(you are cool!) and that means AngularJS. firebase如何满足您的要求：1.您正在使用Ionic来构建您的混合应用程序（您真酷！），这意味着AngularJS. . 。 Firebase has the perfect library called AngularFire , that uses AngularJS to interact with the firebase servers. Firebase具有一个名为AngularFire的完美库，该库使用AngularJS与Firebase服务器进行交互。

You are building a chat app, awesome! 您正在构建一个聊天应用，太棒了！ Firebase has real time syncing between your app and database. Firebase可以在您的应用程序和数据库之间进行实时同步。 That is a lot of work saved for you by Firebase (Claps). Firebase（Claps）为您节省了很多工作。 You need to register users, Firebase has super easy user register management(both OAuth and manual registration) 您需要注册用户，Firebase具有超级简单的用户注册管理（OAuth和手动注册）
Security! 安全！ It is super important and Firebase has you covered even here. 这非常重要，Firebase甚至在这里也涵盖了您。 Implementing user level security is super simple using some simple json format security rules. 使用一些简单的json格式安全规则，实现用户级别的安全性非常简单。 I will quote this from the site "The safety and security of your data is our top priority. Firebase requires 2048-bit SSL encryption for all data transfer and allows you to restrict reading and writing via granular access controls and custom authentication. 我将从网站引用此内容：“数据的安全性是我们的首要任务。Firebase要求2048位SSL加密才能进行所有数据传输，并允许您通过精细的访问控制和自定义身份验证来限制读写。

All data is replicated and backed up to multiple secure locations." 复制所有数据并将其备份到多个安全位置。”

It is free(upto some level. Do some research about it, I am not sure). 它是免费的（一定程度上。我不确定对此做一些研究）。
Your basic id + hash security measure is not bad at the same time not perfect or dependable. 您的基本ID +哈希安全性衡量标准还不错，同时又不完善也不可靠。 Firebase has you covered here through simple login and read/write rules and as well as some closed sourced security. Firebase通过简单的登录和读取/写入规则以及一些封闭源代码的安全性为您介绍了这里。