用于客户端-服务器通信和安全性的 api-key
[英]api-key for client-server communication and security
问题描述
i need some advice.
我需要一些建议。 i want to build a JS app that will run on a client browser and communicate with ajax with my server.我想构建一个 JS 应用程序,它将在客户端浏览器上运行并与我的服务器进行 ajax 通信。 the problem is that i want to give this client some api-key so i can authorize it on my server.问题是我想给这个客户端一些 api-key 以便我可以在我的服务器上授权它。 security wise its a problem because as long that this key is sending through the ajax call, anyone can replicate this call.安全方面这是一个问题,因为只要这个密钥是通过 ajax 调用发送的,任何人都可以复制这个调用。 i don't want to ask the client to create some proxy server and "curl" the request.我不想让客户端创建一些代理服务器并“卷曲”请求。 i want it to be directly from the client to my server.我希望它直接从客户端到我的服务器。 what is the best practice for that except verifying the client by his IP or domain?除了通过 IP 或域验证客户端之外,最佳实践是什么?
2 个解决方案
解决方案1
1 2016-03-18 20:46:18
You could use something like a JWT .你可以使用类似JWT 的东西。
You create an authentication object您创建一个身份验证对象
{
apiKey: asd-dfgdf-e3234, // not even necessary (read on)
expires: 12213493434,
ip: "x.x.x.x"
}
You base64 encode it and then sign it with a private key (or hash function on your server) and attach the signature as a base64 string to the "payload".您对它进行 base64 编码,然后使用私钥(或服务器上的哈希函数)对其进行签名,并将签名作为 base64 字符串附加到“有效负载”。
eyBhcGk6IDEyMzQ1LTU2Nzc4LCBhcGk6IDEyNy4wLjAuMSB9.Tm90IFNlY3VyZSE=
| -------- payload ----------------------------| -- signature -|
Pass this to your client.将此传递给您的客户。 Every request sends this token.每个请求都会发送此令牌。 It can be examined and verified to be tamper free (match the requesting IP no key necessary).它可以被检查和验证是不可篡改的(匹配请求的 IP,不需要密钥)。
解决方案2
0 2016-03-18 20:01:57
Sadly, you can only check the Referer header, and issue API keys with a whitelist of allowed referers.遗憾的是,您只能检查Referer标头,并发布带有允许引用者白名单的 API 密钥。
The main issue here is Referer isn't secure at all: it can be changed.这里的主要问题是Referer根本不安全:它可以更改。 That is, anyone can impersonate a client...也就是说,任何人都可以冒充客户......
AFAIK, the point is your clients should be able to re-create their API keys, and they should do it once they've realized that someone is impersonating them. AFAIK,关键是您的客户应该能够重新创建他们的 API 密钥,一旦他们意识到有人在冒充他们,他们就应该这样做。 And they should keep re-re-re-creating until the bad guy stops impersonating them...他们应该不断地重新创造,直到坏人不再冒充他们……
Make it as hard as possible...尽量让它难...
One possible approach to make things harder to unwanted clients impersonating actual clients can be using access tokens with expiration.使冒充实际客户端的不受欢迎的客户端更难处理的一种可能方法是使用过期的访问令牌。
Also, a good practice can be that one client can request a limited number of access tokens everyday.此外,一个好的做法可能是一个客户端每天可以请求有限数量的访问令牌。 If these access tokens have a 24 hour expiration time, and there's a limit of 3 or 4 access tokens per API key and per day, if many bad guys try to impersonate one of your clients, well, only 3 will be able to do so.如果这些访问令牌有 24 小时的到期时间,并且每个 API 密钥每天有 3 或 4 个访问令牌的限制,如果许多坏人试图冒充您的一个客户,那么只有 3 个能够这样做.
You can also define a limit of an access token per day.您还可以定义每天访问令牌的限制。 This could make things even harder.这可能会使事情变得更加困难。
BTW, you can argue that anyone can steal the whole access token too.顺便说一句,您可以争辩说任何人也可以窃取整个访问令牌。 Well, this is the time to re-generate the API key and get a new one.好吧,现在是重新生成 API 密钥并获取新密钥的时候了。 Finally these bad guys will get tired of getting their access tokens invalidated...最后,这些坏人会厌倦让他们的访问令牌失效......
Best solution最佳解决方案
Actually, if your API needs to be secure and it's private as you've said in some of your comments on my own answer, there's no choice here: you need to go the server proxy way .实际上,如果您的 API 需要安全并且是私有的,正如您在对我自己的回答的一些评论中所说的那样,这里别无选择:您需要采用服务器代理方式。
I would check node-oauth2-server to use OAuth2 to secure your API.我会检查node-oauth2-server以使用 OAuth2 来保护您的 API。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.