如何使用 Express.js 限制 API 仅访问授权域?
[英]How to restrict API access to only authorized domains using Express.js?
问题描述
I'm working on a layer of security for my Node.js/Express.js app where I would like restrict access to an authlist (authorized list) of domains.
我正在为我的 Node.js/Express.js 应用程序开发一层安全性,我想在其中限制对域的authlist (授权列表)的访问。
NB The opposite of an
authlistis adenylist.authlist的反面是denylist。
The Rundown:破败不堪:
- Users create a
Projecton my system.用户在我的系统上创建一个Project。 - Each
Projectis issued aPublic KeyandSecret Keythat will be used to create signed requests.每个Project都有一个Public Key和Secret Key,用于创建签名请求。 - Additionally, the admin of any given
Projectwill need to supply aauthlistof domains that they'd like to be able to access the API for that givenProject.此外,任何给定Project的管理员都需要提供他们希望能够访问该给定Project的authlist的域的授权列表。 This is done in the web-based console, not as part of every request.这是在基于 Web 的控制台中完成的,而不是作为每个请求的一部分。 - When the API receives a request,
req.get('origin')is used to determine the origin domain of the request.当API收到请求时, req.get('origin')判断请求的源域。 - The origin is checked against the
authlistand either allowed or denied accordingly.根据authlist检查来源,并相应地允许或拒绝。
In Code :在代码中:
var app = require('express');
app.post('/my-api-endpoint', function(req,res) {
var originDomain = req.get('origin'); /// e.g. mysite.com
/// Origin is then checked against the authlist array of domains
});
The Questions问题
- What concerns do I need to be aware of with regard to Domain Origin Spoofing?关于域来源欺骗,我需要注意哪些问题?
- Is this a worthy security feature at all?这是一个有价值的安全功能吗? Or is it so easily spoofed that there's no point in bothering?或者它很容易被欺骗以至于没有必要打扰?
2 个解决方案
解决方案1
0 2020-02-10 15:21:59
The best way to accomplish what you are looking for is to forget domains all-together and optionally allow the whitelisting of IP ranges.实现您正在寻找的最佳方法是完全忘记域,并可选择允许 IP 范围的白名单。 With that said, some of the biggest APIs in the world do not even use this security layer (ie eBay, Amazon's Marketplace, etc...).话虽如此,世界上一些最大的 API 甚至不使用这个安全层(即 eBay、亚马逊的 Marketplace 等...)。
In the interest in addressing the extra paranoia though, you could have your clients set up subnets to launch their autoscaling servers into which would give them a static range of IPs to whitelist.不过,为了解决额外的偏执,您可以让您的客户设置子网来启动他们的自动缩放服务器,这将为他们提供一个静态范围的 IP 以列入白名单。 Then only servers inside this IP range would be given permission to access your endpoints.那么只有在这个 IP 范围内的服务器才会被授予访问您的端点的权限。
Here is a question on AWS that explains a tad more about that: https://forums.aws.amazon.com/thread.jspa?threadID=233469这是 AWS 上的一个问题,解释了更多相关信息: https ://forums.aws.amazon.com/thread.jspa?threadID =233469
解决方案2
0 2022-09-08 21:28:36
Its is possible to use the middleware feature to use something like you did in the question example, but origin, til I know, is somethins the only browser feature, so it's possible to user a proxy to mask it and easely pass througth this kind of filter可以使用中间件功能来使用您在问题示例中所做的事情,但是在我知道之前,来源是唯一的浏览器功能,因此可以使用代理来屏蔽它并轻松通过这种筛选
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.