我可以使用 GET 请求从私有 GitHub 存储库获取代码吗?
[英]Can I get code from a private GitHub repository using a GET Request?
问题描述
I'm building a website and I want to have some simple authentication.
我正在建立一个网站,我想进行一些简单的身份验证。 I know this isn't the safest method, but I want something quick and simple.我知道这不是最安全的方法,但我想要一些快速简单的方法。 Also, there's no sensitive data on the website that needs extremely secure authentication.此外,网站上没有需要极其安全的身份验证的敏感数据。
Here's the method I want to use:这是我要使用的方法:
I have a private GitHub repo, where there is a JSON file with a person's credentials in this format:我有一个私人GitHub 存储库,其中有一个 JSON 文件,其中包含以下格式的个人凭据:
{
"admin": {
"username": "USERNAME_HERE",
"password": "PASSWORD_HERE",
"id": 7777
}
}
When a user tries to log in, is there a way a request can get the data from the JSON file?当用户尝试登录时,请求是否可以从 JSON 文件中获取数据? I tried using raw.githubusercontent.com (raw code) but since the repo is private, There's an access token needed at the end of the URL.我尝试使用raw.githubusercontent.com (原始代码),但由于回购是私有的,URL 末尾需要一个访问令牌。 The access token also expires in some time and a new one is needed.访问令牌也会在一段时间后过期,需要一个新的。
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
console.log(xhttp.response);
let a = JSON.parse(xhttp.response);
}
};
xhttp.open("GET", "https://raw.githubusercontent.com/username/repo/master/json/data.json?token=MY_TOKEN", true);
xhttp.send();
This works for some time, but then the token expires and the token is also visible within the source code so that method's a no.这工作了一段时间,但随后令牌过期并且令牌在源代码中也是可见的,因此该方法是否。
If there is some permanent type of token that I can use, I also need to hide it from the source code.如果有一些我可以使用的永久类型的令牌,我还需要从源代码中隐藏它。
If I can't do this, then is there any way I could host a file online, and be the only one with access to it, perhaps with a token?如果我不能这样做,那么有什么办法可以让我在线托管文件,并且是唯一可以访问它的人,也许有一个令牌? And it would be nice if I could get some ideas on how I can hide a token from the source code.如果我能获得一些关于如何从源代码中隐藏令牌的想法,那就太好了。
1 个解决方案
解决方案1
1 2021-06-12 08:38:50
I know this isn't the safest method, but I want something quick and simple.
It isn't remotely safe, nor quick, nor simple.它既不安全,也不快速,也不简单。
When a user tries to log in, is there a way a request can get the data from the JSON file?
Use the Github API to read the file (this will require them to authenticate against Github as a user who has permission to read your repository which makes the whole thing awful).使用 Github API 读取文件(这将要求他们以有权读取您的存储库的用户身份对 Github 进行身份验证,这使得整个事情变得糟糕)。
If I can't do this, then is there any way I could host a file online, and be the only one with access to it, perhaps with a token?
Any kind of server-side authentication system will do that.任何类型的服务器端身份验证系统都可以做到这一点。
And it would be nice if I could get some ideas on how I can hide a token from the source code.
The only way to do that would be to have the user type the token in (or use a password manager, etc).唯一的方法是让用户输入令牌(或使用密码管理器等)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.