简体繁体 English

保护JS客户端SDK

[英]Securing JS client-side SDKs

原文 2017-02-10 18:39:15 4 2 javascript/ api/ security/ reactjs/ client-side

I'm working on a React-Redux web-app which integrates with AWS Cognito for user authentication/data storage and with the Shopify API so users can buy items through our site. 我正在开发一个React-Redux网络应用程序，它与AWS Cognito集成用于用户身份验证/数据存储以及Shopify API，因此用户可以通过我们的网站购买物品。

With both SDKs ( Cognito , Shopify ), I've run into an issue: Their core functionality attaches data behind the scenes to localStorage , requiring both SDKs to be run client-side. 使用这两个SDK（ Cognito ， Shopify ），我遇到了一个问题：他们的核心功能将幕后数据附加到localStorage ，要求两个SDK都在客户端运行。

But running this code entirely client-side means that the API tokens which both APIs require are completely insecure, such that someone could just grab them from my bundle and then authenticate/fill a cart/see inventory/whatever from anywhere (right?). 但是完全在客户端运行此代码意味着两个API所需的API令牌都是完全不安全的，这样有人可以从我的包中抓取它们，然后验证/填充购物车/查看库存/任何地方的任何东西（对吗？）。

I wrote issues on both repos to point this out. 我在两个回购中写了一些问题来指出这一点。 Here's the more recent one, on Shopify . 这是Shopify上最近的一个。 I've looked at similar questions on SO, but nothing I found addresses these custom SDKs/ingrained localStorage usage directly, and I'm starting to wonder if I'm missing/misunderstanding something about client-side security, so I figured I should just ask people who know more about this. 我在SO上看过类似的问题，但是我没有发现任何直接解决这些自定义SDK /根深蒂固的localStorage用法的问题，我开始怀疑我是否遗漏/误解了客户端安全性的问题，所以我想我应该只要问那些了解更多相关信息的人。

What I'm interested in is whether, abstractly, there's a good way to secure a client-side SDK like this. 我感兴趣的是，抽象地说，是否有一种很好的方法可以保护像这样的客户端SDK。 Some thoughts: 一些想法：

Originally, I tried to proxy all requests through the server, but then the localStorage functionality didn't work, and I had to fake it out post-request and add a whole bunch of code that the SDK is designed to take care of. 最初，我试图通过服务器代理所有请求，但是然后localStorage功能不起作用，我不得不在请求后伪造它并添加一大堆SDK专门用来处理的代码。 This proved prohibitively difficult/messy, especially with Cognito. 这被证明是非常困难/混乱，特别是对于Cognito。
I'm also considering creating a server-side endpoint that simply returns the credentials and blocks requests from outside the domain. 我还在考虑创建一个服务器端端点，它只返回凭据并阻止来自域外的请求。 In that case, the creds wouldn't be in the bundle , but wouldn't they be eventually scannable by someone on the site once that request for credentials has been made? 在这种情况下，信用证不会出现在捆绑中 ，但是一旦提出凭证请求，它们最终是否可以被网站上的某个人扫描？
Is the idea that these secret keys don't actually need to be secure, because adding to a Shopify cart or registering a user with an application don't need to be secure actions? 是否认为这些密钥实际上并不需要是安全的，因为添加到Shopify购物车或向应用程序注册用户不需要是安全的操作？ I'm just worried that I obviously don't know the full scope of actions that a user could take with these credentials, and it feels like an obvious best practice to keep them secret. 我只是担心我显然不知道用户可以使用这些凭据进行的全部操作，并且将它们保密是一种明显的最佳做法。

Thanks! 谢谢！

2 个解决方案

Can't you just put the keys and such in a .env file? 你不能把钥匙等放在.env文件中吗？ This way nobody can see what keys you've got stored in there. 这样，没有人能够看到你在那里存储了什么键。 You can then access your keys through process.env.YOUR_VAR 然后，您可以通过process.env.YOUR_VAR访问您的密钥

For Cognito you could store stuff like user pool id, app client id, identity pool id in a .env file. 对于Cognito，您可以在.env文件中存储用户池ID，应用客户端ID，身份池ID等内容。

NPM package for dotenv can be found here: NPM dotenv dotenv的NPM包可以在这里找到： NPM dotenv

Furthermore, what supersecret stuff are you currently storing that you're worried about? 此外，您目前正在存储哪些超级秘密的东西？ By "API tokens", do you mean the OpenId token which you get after authenticating to Cognito? 通过“API令牌”，您是指在向Cognito进行身份验证后获得的OpenId令牌吗？

I can respond to the Cognito portion for this. 我可以为此回应Cognito部分。 Your AWS Secret Key and Access Key are not stored in the client. 您的AWS密钥和访问密钥未存储在客户端中。 For your React.js app, you only need the Cognito User Pool Id and the App Client Id in your app. 对于您的React.js应用，您只需要在应用中使用Cognito用户池ID和应用客户端ID。 Those are the only keys that are exposed to the user. 这些是唯一暴露给用户的键。

I cover this in detail in a comprehensive tutorial here - http://serverless-stack.com/chapters/login-with-aws-cognito.html 我在这里的综合教程中详细介绍了这一点 - http://serverless-stack.com/chapters/login-with-aws-cognito.html