如何验证请求来自网站?
[英]How to authenticate that a request came from a website?
问题描述
I and a friend are building an API with a web front end.
我和一个朋友正在构建一个带有 Web 前端的 API。 The web utilizes the API via Ajax requests to interact with the back-end. Web 通过 Ajax 请求利用 API 与后端进行交互。 We would like to offer limited access to the API for people not using the website (you must pay a fee to use the API), but full unlimited access to anyone on the website.我们希望为不使用网站的人提供对 API 的有限访问(您必须支付使用 API 的费用),但为网站上的任何人提供完全无限制的访问。
Now the problem: We are struggling to identify which API call comes from where.现在的问题是:我们正在努力确定哪个 API 调用来自哪里。 Since the website uses JavaScript for the calls, the request appears to come from the user's IP.由于该网站使用 JavaScript 进行调用,因此请求似乎来自用户的 IP。 We thought about using unique tokens for each call or signing the calls, but JavaScript would expose the methods and keys used in both cases.我们考虑过为每次调用使用唯一的令牌或对调用进行签名,但 JavaScript 会公开这两种情况下使用的方法和密钥。
We are emphasizing on security, so we are searching for a robust solution.我们强调安全性,因此我们正在寻找一个强大的解决方案。
Thanks in advance!提前致谢!
1 个解决方案
解决方案1
0 已采纳 2020-03-19 17:52:23
We ended up settling for middleware in the login written in PHP.我们最终在用 PHP 编写的登录中解决了中间件。 It generated an additional token valid for 24h and stored it in the cache.它生成了一个有效期为 24 小时的附加令牌并将其存储在缓存中。 All requests made from the website utilize this token, so if it is not present then the request didn't come from said website.从网站发出的所有请求都使用此令牌,因此如果它不存在,则该请求不是来自该网站。
The downfall is that you could theoretically fake the request by taking the token from the cache and use it elsewhere, but it would require to update the token manually every day.缺点是理论上你可以通过从缓存中获取令牌并在其他地方使用它来伪造请求,但它需要每天手动更新令牌。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.