Javascript客户端身份验证(使用SSL,没有OAuth2)?
[英]Javascript Client Authentication (with SSL, without OAuth2)?
问题描述
The scenario is: 
场景是:
I have a web API, which is being accessed by two clients: 我有一个Web API,由两个客户端访问:
- Web App written in Javascript, which is minified 用Javascript编写的Web应用程序,它是缩小的
- iOS App iOS应用程序
SSL is all set up on the server hosting the API, and it works fine. SSL都是在托管API的服务器上设置的,它运行正常。 There is no User Auth for the API because it's a sort of location-based searching app. API没有User Auth,因为它是一种基于位置的搜索应用程序。
I want to ensure though that only the web app and the iPhone client are able to actually make requests to the API. 我想确保只有Web应用程序和iPhone客户端能够实际向API发出请求。 For the iPhone client it's easy - a shared secret between the server and the app will do, and it's encrypted with SSL so we're not worried about people spying on it. 对于iPhone客户端来说这很容易 - 服务器和应用程序之间的共享秘密就可以了,而且它是用SSL加密的,所以我们不担心有人监视它。
But for the web app the same solution won't work. 但对于Web应用程序,相同的解决方案将无法正常工作。 I can't just leave a string in the code, and even if it's encrypted in there that's all somebody would need. 我不能在代码中留下一个字符串,即使它在那里被加密,也是所有人都需要的。
Basically, I'm looking for a good solution to this problem. 基本上,我正在寻找这个问题的一个很好的解决方案。 I just want to make sure it's kept only to clients who are allowed to use it, but I'm not sure how I can without going and implementing OAuth which I think is probably overkill. 我只是想确保它只保留给被允许使用它的客户,但我不确定如何不去实施OAuth,我认为这可能是过度的。 Any ideas? 有任何想法吗?
Thanks! 谢谢! Dan 担
1 个解决方案
解决方案1
2 已采纳 2012-10-21 14:17:37
It can't be done. 它无法完成。 Even with oauth. 即使有oauth。 Even assuming that your iOS app is secure, is wrong: it can be decompiled. 即使假设您的iOS应用程序是安全的,也是错误的:它可以被反编译。 Any code that runs on the client, can be tampered with, and can't be trusted to be who he says he is. 在客户端上运行的任何代码都可能被篡改,并且无法被信任为他所说的人。
Only question is: is the API you provide valuable enough, and how much trouble would someone want to go through to hack it. 唯一的问题是:您提供的API是否足够有价值,以及有多少人会想要破解它。 And how hard do you want to make it for whomever wants to hack it. 你想要破解它的人有多难?
The iOS version is indeed way safer than the javascript version. iOS版本确实比javascript版本更安全。 In the webapp you can obfuscate your code to make it harder to hack. 在webapp中,您可以对代码进行模糊处理,使其更难以入侵。 You can (if you don't intend to use it on iOS) use java or flash to further hide your signing code (HMAC-sign your requests, don't just send a shared secret with them. You may think SSL is secure, but there is a moment before the url is encrypted....). 您可以(如果您不打算在iOS上使用它)使用java或flash进一步隐藏您的签名代码(HMAC签署您的请求,不要只是发送共享密码。您可能认为SSL是安全的,但是在网址加密之前有一段时间......)。
The way the "big guys" deal with this is: “大家伙”处理这个问题的方式是:
- Whatever you build, assume that someone will be able to hack it (as in: use your API for some other purpose than you intended). 无论你构建什么,假设有人能够破解它(如:使用你的API用于除你预期之外的其他目的)。
- Think about how bad this really is (note: they wouldn't be able to build a business on it; it would be WAY TOO vulnerable to lawsuits). 想想这到底有多糟糕(请注意:他们无法在其上建立业务;因为诉讼很容易受到诉讼)。 Is it really the end of the world if a lone wolf uses your API. 如果孤狼使用你的API,它真的是世界末日吗?
- If you do care about the lone wolves, make it as hard as possible (but honestly, isn't it cheaper just to loose some money from the lone wolves, than to spend 2 developer-months on it?) 如果你真的关心孤狼,那就尽量让它变得更加坚硬(但老实说,从单独的狼那里掏出一些钱,而不是花2个开发者月的时间,这不是更便宜吗?)
- If somehow there is serious interest in hacking into your API, try to come to an understanding with the hackers (eg I like the way how Spotify reacted to despotify. Basically they said "hey, if you don't release anything that makes it really easy to steal our music or circumvent our businessmodel, we won't try too hard to block you") 如果以某种方式对黑客入侵你的API非常感兴趣,请尝试与黑客达成谅解(例如,我喜欢Spotify对despotify的反应方式。基本上他们说“嘿,如果你不释放任何使它成为真正的东西容易窃取我们的音乐或规避我们的商业模式,我们不会太努力阻止你“)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.