限制服务器只响应来自 iOS 应用程序的 HTTP 请求 - 没有用户名和密码
[英]Limit the server to only respond to HTTP requests made from an iOS app - without username and password
问题描述
I have an iOS app where the user can makes HTTP requests from their phones and the HTTP returns information based on the zip code that the user provides through the phone.
我有一个 iOS 应用程序,用户可以在其中从手机发出 HTTP 请求,HTTP 根据用户通过手机提供的邮政编码返回信息。
My issue is that anyone can type the URL and the server would respond with the information that corresponds to the zip code they input eg http://example.com/zip-code/78515 .我的问题是任何人都可以输入 URL,服务器将使用与他们输入的邮政编码相对应的信息进行响应,例如http://example.com/zip-code/78515 。
My questions is, can I limit the server to only respond to requests made from my iOS app without the user having to create a user and password?我的问题是,我是否可以将服务器限制为仅响应来自我的 iOS 应用程序的请求,而无需用户创建用户名和密码? In other words, if someone types http://example.com/zip-code/78515 directly in a browser I want the server to ignore the request but if the request comes from my iOS app I want the server to respond accordingly.换句话说,如果有人直接在浏览器中键入http://example.com/zip-code/78515 ,我希望服务器忽略该请求,但如果请求来自我的 iOS 应用程序,我希望服务器做出相应的响应。
For the HTTP request I'm using Laravel.对于 HTTP 请求,我使用的是 Laravel。
Here is my Laravel code.这是我的 Laravel 代码。
Route:路线:
Route::get('zip-code/{zipCode}', 'AppsAPIController@information');
Controller:控制器:
class AppsAPIController extends Controller
{
public function information($zipCode)
{
$info = CityInfo::where('ZipCode', $zipCode)->get();
return ($info);
}
}
Request:要求:
http://example.com/zip-code/78515
Again, the question is, how can I limit the server to only respond to requests made from my iOS app without the user having to create a username and password?同样,问题是,如何限制服务器仅响应来自我的 iOS 应用程序的请求,而无需用户创建用户名和密码?
3 个解决方案
解决方案1
1 2019-08-07 02:05:51
This package seems to do that这个包似乎做到了
https://github.com/spinen/laravel-browser-filter https://github.com/spinen/laravel-browser-filter
Basically, you are adding a middleware that reads the user agent out of the request, and denies the rest.基本上,您正在添加一个从请求中读取用户代理并拒绝其余请求的中间件。
解决方案2
1 2019-08-07 04:37:51
There is no foolproof way to respond only to requests made by your app.没有万无一失的方法来仅响应您的应用程序发出的请求。
User agent sniffing, navigator feature detection, and like measures may deter most basic attempts to load information from that url (like search engine bots), but anyone with a little time can learn to replicate the HTTP requests made by your app, defeating those measures.用户代理嗅探、导航器功能检测和类似措施可能会阻止从该 url 加载信息的最基本尝试(例如搜索引擎机器人),但任何有时间的人都可以学习复制您的应用发出的 HTTP 请求,从而击败这些措施.
Even requiring a login will not prevent external request (they can send requests matching your login workflow to obtain a valid token, then request the restricted url with it).即使要求登录也不会阻止外部请求(他们可以发送与您的登录工作流程匹配的请求以获取有效令牌,然后使用它请求受限制的 url)。
解决方案3
1 2019-08-07 13:29:21
(via the comments) I just don't want to overload the server with unnecessary requests.
In that case, there's a much better solution.在这种情况下,有一个更好的解决方案。 Laravel ships with a throttle middleware, which you can use to limit the number of requests per minute per IP (or per logged-in user, if they're authenticated). Laravel 附带了一个throttle中间件,您可以使用它来限制每个 IP(或每个登录用户,如果它们经过身份验证)每分钟的请求数。
Just add throttle:60,1 to your route's middleware and it'll max out at 60 requests per minute for a particular IP address.只需在路由的中间件中添加throttle:60,1 ,对于特定 IP 地址,每分钟最多可处理 60 个请求。 Set it to something relatively high (so normal use doesn't hit it), but it'll prevent millions of requests from the same IP from using up too many resources.将其设置为相对较高的值(因此正常使用不会影响它),但它会防止来自同一 IP 的数百万个请求占用过多资源。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.