[英]Symfony2 RESTful API + AngularJS
I've been working on an e-commerce project built on Symfony2 (for the backend) and AngularJS for the frontend.我一直在开发一个建立在 Symfony2(后端)和 AngularJS 上的电子商务项目。 Currently the Symfony part is used only as an API, which has three different user levels (guest, customer & admin).
目前 Symfony 部分仅用作 API,它具有三个不同的用户级别(访客、客户和管理员)。 Different actions that can be done within the system (like add/remove data) are secured by:
可以在系统内完成的不同操作(如添加/删除数据)通过以下方式进行保护:
For the parts that are secure everything works as intended and I'm very happy with the way things work.对于安全的部件,一切都按预期工作,我对工作方式感到非常满意。
Problem:问题:
There are parts of the API which are public (like retrieving product information, categories, etc.). API 的某些部分是公开的(例如检索产品信息、类别等)。 I'm retrieving such data in Angular with Ajax calls to my API that returns the data in JSON format.
我正在 Angular 中检索此类数据,并通过 Ajax 调用我的 API,该 API 以 JSON 格式返回数据。 One example would be:
一个例子是:
/api/product/get-all/?page=1&count=10&sorting[id]=asc
/api/product/get-all/?page=1&count=10&sorting[id]=asc
The problem is that anyone could look at the requests in browser and copy the path and have access to all the data (such as all the products) and could just download a JSON of all the information.问题是任何人都可以在浏览器中查看请求并复制路径并访问所有数据(例如所有产品),并且只需下载所有信息的 JSON。 Although this data is "public", I don't want to give others such an easy way of "stealing" my data.
虽然这些数据是“公开的”,但我不想给别人这么简单的方法来“窃取”我的数据。
Ideas & possible solutions:想法和可能的解决方案:
What do you think?你怎么认为? Would this be a possible solution?
这是一个可能的解决方案吗?
I was also reading in some other question on StackOverflow that I could check the HTTP_X_REQUESTED_WITH header from the request, but we all know this can be easily spoofed by an attacker.我还在 StackOverflow 上的其他一些问题中看到我可以检查请求中的 HTTP_X_REQUESTED_WITH 标头,但我们都知道这很容易被攻击者欺骗。
Finally, I read a similar approach to "solution" 1) here : http://engineering.talis.com/articles/elegant-api-auth-angular-js/ but I'm not entirely sure that this fits my purpose.最后,我在此处阅读了“解决方案”1) 的类似方法: http : //engineering.talis.com/articles/elegant-api-auth-angular-js/但我不完全确定这是否符合我的目的。
Additional notes:补充说明:
Thanks for taking the time to read my question and I'm looking forward for any feedback.感谢您花时间阅读我的问题,我期待着任何反馈。
You can limit the abuse of your system in a number of ways, including:您可以通过多种方式限制对系统的滥用,包括:
Limit the total number of requests that API will return before requiring CAPTCHA or some other validation method.在要求 CAPTCHA 或其他一些验证方法之前限制 API 将返回的请求总数。 This can be limited by IP, browser fingerprint, authentication token, etc.
这可能受到 IP、浏览器指纹、身份验证令牌等的限制。
Make it difficult for abuser to guess IDs of products, categories, etc. by using GUIDs or other randomly generated IDs.通过使用 GUID 或其他随机生成的 ID,使滥用者难以猜测产品、类别等的 ID。
Use API management proxy such as Azure API Management for more enterprise level management of the APIs ( http://justazure.com/azure-api-management-part-one-introduction/ )使用 API 管理代理(例如 Azure API 管理)对 API 进行更多企业级管理( http://justazure.com/azure-api-management-part-one-introduction/ )
You could try something like:你可以尝试这样的事情:
This way everyone who wants to steal your data first need to get anonymous temporary token by filling in the captcha and change referrer.这样每个想要窃取您数据的人首先需要通过填写验证码和更改引用来获得匿名临时令牌。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.