[英]How to restrict API access to only authorized domains using Express.js?
I'm working on a layer of security for my Node.js/Express.js app where I would like restrict access to an authlist
(authorized list) of domains.我正在为我的 Node.js/Express.js 应用程序开发一层安全性,我想在其中限制对域的
authlist
(授权列表)的访问。
NB The opposite of an
authlist
is adenylist
.注意
authlist
的反面是denylist
。
The Rundown:破败不堪:
Project
on my system.Project
。Project
is issued a Public Key
and Secret Key
that will be used to create signed requests.Project
都有一个Public Key
和Secret Key
,用于创建签名请求。Project
will need to supply a authlist
of domains that they'd like to be able to access the API for that given Project
.Project
的管理员都需要提供他们希望能够访问该给定Project
的authlist
的域的授权列表。 This is done in the web-based console, not as part of every request.req.get('origin')
is used to determine the origin domain of the request.req.get('origin')
判断请求的源域。authlist
and either allowed or denied accordingly.authlist
检查来源,并相应地允许或拒绝。 In Code :在代码中:
var app = require('express');
app.post('/my-api-endpoint', function(req,res) {
var originDomain = req.get('origin'); /// e.g. mysite.com
/// Origin is then checked against the authlist array of domains
});
The Questions问题
The best way to accomplish what you are looking for is to forget domains all-together and optionally allow the whitelisting of IP ranges.实现您正在寻找的最佳方法是完全忘记域,并可选择允许 IP 范围的白名单。 With that said, some of the biggest APIs in the world do not even use this security layer (ie eBay, Amazon's Marketplace, etc...).
话虽如此,世界上一些最大的 API 甚至不使用这个安全层(即 eBay、亚马逊的 Marketplace 等...)。
In the interest in addressing the extra paranoia though, you could have your clients set up subnets to launch their autoscaling servers into which would give them a static range of IPs to whitelist.不过,为了解决额外的偏执,您可以让您的客户设置子网来启动他们的自动缩放服务器,这将为他们提供一个静态范围的 IP 以列入白名单。 Then only servers inside this IP range would be given permission to access your endpoints.
那么只有在这个 IP 范围内的服务器才会被授予访问您的端点的权限。
Here is a question on AWS that explains a tad more about that: https://forums.aws.amazon.com/thread.jspa?threadID=233469这是 AWS 上的一个问题,解释了更多相关信息: https ://forums.aws.amazon.com/thread.jspa?threadID =233469
Its is possible to use the middleware feature to use something like you did in the question example, but origin, til I know, is somethins the only browser feature, so it's possible to user a proxy to mask it and easely pass througth this kind of filter可以使用中间件功能来使用您在问题示例中所做的事情,但是在我知道之前,来源是唯一的浏览器功能,因此可以使用代理来屏蔽它并轻松通过这种筛选
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.