我的代码在多个位置使用带有密钥的 API。 如何在不上传密钥的情况下将代码上传到 GitHub?
[英]My code uses an API with secret key in several locations. How can I upload the code to GitHub without also uploading my key?
问题描述
The project is a Vue SPA and a couple of my components have to make GET requests to an API with a secret key.
该项目是一个 Vue SPA,我的几个组件必须使用密钥向 API 发出 GET 请求。 I currently want to upload the project to GitHub pages, however, I don't want to upload the key.我目前想将项目上传到 GitHub 页面,但是,我不想上传密钥。
I've read that I need to create a file that should contain a variable with my key and then just use that variable in the place of the secret key, however, I am not sure how to go about doing this.我已经读到我需要创建一个文件,该文件应该包含一个带有我的密钥的变量,然后只使用该变量代替密钥,但是,我不知道如何去做。
3 个解决方案
解决方案1
1 已采纳 2019-03-06 16:09:58
If you use the key client-side then you expose it to every user of the application.如果您使用密钥客户端,那么您会将其公开给应用程序的每个用户。
Putting it in a variable just means it only appears in one place in the source code.把它放在一个变量中只是意味着它只出现在源代码的一个地方。 It is still visible there and in every request sent to the API (where it can easily be found with the Network tab in the browser's developer tools).它在那里以及发送到 API 的每个请求中仍然可见(可以在浏览器的开发人员工具中的“网络”选项卡中轻松找到它)。
To keep it secret you need to write server-side code to access the API, and then expose the data to your Vue app through some other mechanism (typically a web service of your own).为了保密,您需要编写服务器端代码来访问 API,然后通过某种其他机制(通常是您自己的 Web 服务)将数据公开给您的 Vue 应用程序。
解决方案2
0 2019-03-06 16:16:47
您可以使用不属于源代码的环境文件,并通过dotenv包或类似程序将其加载到前端代码中
解决方案3
0 2019-03-06 16:21:27
If you cannot rely on a server to store it as suggested above, you can store it in an ENV variable template.如果你不能像上面建议的那样依赖服务器来存储它,你可以将它存储在一个 ENV 变量模板中。
auth.ENV.dist认证环境文件
NODE_ENV=''
PORT=''
# Set your database/API connection information here
API_KEY=''
API_URL=''
Notice: this is a common practice to set a auth key in a .ENV file and is far more common that retrieving it from a server for a variety of reason.注意:这是在 .ENV 文件中设置身份验证密钥的常见做法,并且比出于各种原因从服务器检索它更为常见。 IE least but not last reason: for retrieving in a safe way those parameters you have to store another auth token or rely on other parameters (IP or similar) related to the deploy environment. IE 至少但不是最后一个原因:为了以安全的方式检索这些参数,您必须存储另一个身份验证令牌或依赖与部署环境相关的其他参数(IP 或类似参数)。
There are tons of articles covering the topic, just look where and how .ENV files are used.有大量文章涉及该主题,只需查看 .ENV 文件的使用位置和方式。
This also allows to split behavior of your auth in (IE) test, staging and production environment.这还允许在 (IE) 测试、暂存和生产环境中拆分您的身份验证行为。
EDIT:编辑:
This article is very complete and take in account a lot of scenarios with advantages and drawbacks, it also exposes the architecture of a serverside management of keys. 这篇文章非常完整,考虑了很多有利有弊的场景,还公开了一个服务器端管理密钥的架构。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.