JQuery $ .ajax.post到具有秘密API密钥的服务
[英]JQuery $.ajax.post to a service with secret API Key
问题描述
let's assume that there is a service out there as following; 
我们假设有一项服务如下;
http://exmaple.com/service1/GetSomething?apikey= {api-key-goes-here}
an my api key is : 96a143c8-2f62-470c-b81f-dec5fc271873 我的api密钥是:96a143c8-2f62-470c-b81f-dec5fc271873
so we will be making calls to > http://exmaple.com/service1/GetSomething?apikey=96a143c8-2f62-470c-b81f-dec5fc271873 link and it gives back the response as JSON. 所以我们将调用> http://exmaple.com/service1/GetSomething?apikey=96a143c8-2f62-470c-b81f-dec5fc271873链接,它会以JSON的形式返回响应。
when I consume that with JQuery (or any other client side JavaScript library), how will that key will be secure? 当我使用JQuery(或任何其他客户端JavaScript库)使用它时,该密钥将如何安全? I am thinking that and I figured there is no way. 我在想,我认为没有办法。 If I am going to make a call to that service with client side call, it will be our in the open. 如果我打算通过客户端电话拨打该服务,那将是我们公开的。
any idea on this? 对此有何想法?
thanks. 谢谢。
3 个解决方案
解决方案1
9 已采纳 2011-05-20 10:25:52
Make a proxy. 代理。
Post the values to one of your pages and from this page make the real request on the server-side, then return the value you get. 将值发布到您的某个页面,然后从此页面在服务器端发出实际请求,然后返回您获得的值。
Of note: You cannot make a cross-domain request with javascript, mainly browsers don't allow this for security reasons. 值得注意的是:您无法使用javascript创建跨域请求,主要是出于安全原因,浏览器不允许这样做。
解决方案2
2 2011-05-20 10:26:14
从客户端角度保护它的唯一方法是在您的服务器上代理API请求并在您的应用中添加该密钥。
解决方案3
0 2013-05-23 03:10:40
The best approach that I found was to give your user an API_KEY and a SECRET_KEY. 我发现的最佳方法是为您的用户提供API_KEY和SECRET_KEY。
Build your REST API request passing in the API_KEY, timestamp and any other parameters necessary for making the call. 构建您的REST API请求,传递API_KEY,时间戳和进行调用所需的任何其他参数。
Using a scripting language like PHP create an API_SIGNATURE variable using two way encryption with your SECRET_KEY and append that to your base url and that is what you fire off as your request. 使用像PHP这样的脚本语言使用您的SECRET_KEY使用双向加密创建API_SIGNATURE变量,并将其附加到您的基本URL,这就是您根据请求启动的内容。
Now anyone can see that request and that is why you put the timestamp in as a parameter. 现在任何人都可以看到该请求,这就是您将时间戳作为参数的原因。 Basically you can put in a constraint that will only process requests that are less than one minute old. 基本上,您可以设置一个约束,该约束只处理不到一分钟的请求。
Example: (do this part in scripting language) 示例:(以脚本语言执行此部分)
$API_BASE_URL="http://api.yourdomain.com/1.1/comments.json?api_key=2002×tamp=2323234544&id=4";
$API_KEY=300;
$API_SIGNATURE=hash_hmac('sha256', API_BASE_URL, API_KEY);
$API_URL=$API_BASE_URL.'&api_signature='.$API_SIGNATURE;
-- -
Now in your jquery ajax url: echo out $API_URL using PHP. 现在在你的jquery ajax url中:使用PHP回显$ API_URL。
-- -
In your API when you get a request you lookup the users account based on API_KEY and get their SECRET_KEY and decrypt the signature and make sure that matches what was passed in. If that passes now check the timestamp and make sure the request is less than a minute old. 在您的API中,当您收到请求时,您将根据API_KEY查找用户帐户并获取其SECRET_KEY并解密签名并确保匹配传入的内容。如果现在通过,请检查时间戳并确保请求小于分钟。
You can also do rate limiting and a whole bunch of other stuff before processing the request. 在处理请求之前,您还可以进行速率限制和一大堆其他内容。
Thats it. 而已。
Also people are saying cross domain requests are not allowed by browsers. 人们也说浏览器不允许跨域请求。 That is true if you are requesting json but you can get around this using jsonp. 如果您正在请求json,那就是这样,但是您可以使用jsonp解决这个问题。
The hash_hmac is available in many programming and scripting languages. hash_hmac可用于许多编程和脚本语言。 So if you develop an API you can use it on the web with PHP and in your iphone app with objective c. 因此,如果您开发了一个API,您可以在网络上使用PHP和在具有目标c的iphone应用程序中使用它。
Pretty simple. 很简单。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.