[英]How safe is it to use an ip for running a Sinatra ruby app for an iOS application
我正在構建一個iOS應用程序,並且有一個運行Sinatra應用程序的AWS ec2實例,用於刷新和交換Spotify SDK訪問令牌,並且我想知道URL上帶有諸如http://#someIP:4567類的任何安全問題應用程序本身。
我知道使用AWS ec2實例可以通過將其設置為https來確保其安全,但是如何以相同的方式保護IP(如果我什至需要這樣做)?
這是ruby文件中的內容:
require 'sinatra'
require 'net/http'
require 'net/https'
require 'base64'
require 'encrypted_strings'
require 'json'
set :bind, '0.0.0.0'
CLIENT_ID = ENV['TheClientIDGivenBySpotify']
CLIENT_SECRET = ENV['TheClientSecretGivenBySpotify']
ENCRYPTION_SECRET = ENV['cFJLyifeUJUBFWdHzVbykfDmPHtLKLGzViHW9aHGmyTLD8hGXC']
CLIENT_CALLBACK_URL = ENV['appForSpotify://returnAfterLogin']
SPOTIFY_ACCOUNTS_ENDPOINT = URI.parse("https://accounts.spotify.com")
get '/' do
"Working"
end
post '/swap' do
AUTH_HEADER = "Basic " + Base64.strict_encode64(CLIENT_ID + ":" + CLIENT_SECRET)
# This call takes a single POST parameter, "code", which
# it combines with your client ID, secret and callback
# URL to get an OAuth token from the Spotify Auth Service,
# which it will pass back to the caller in a JSON payload.
auth_code = params[:code]
http = Net::HTTP.new(SPOTIFY_ACCOUNTS_ENDPOINT.host, SPOTIFY_ACCOUNTS_ENDPOINT.port)
http.use_ssl = true
request = Net::HTTP::Post.new("/api/token")
request.add_field("Authorization", AUTH_HEADER)
request.form_data = {
"grant_type" => "authorization_code",
"redirect_uri" => CLIENT_CALLBACK_URL,
"code" => auth_code
}
response = http.request(request)
# encrypt the refresh token before forwarding to the client
if response.code.to_i == 200
token_data = JSON.parse(response.body)
refresh_token = token_data["refresh_token"]
encrypted_token = refresh_token.encrypt(:symmetric, :password => ENCRYPTION_SECRET)
token_data["refresh_token"] = encrypted_token
response.body = JSON.dump(token_data)
end
status response.code.to_i
return response.body
end
post '/refresh' do
AUTH_HEADER = "Basic " + Base64.strict_encode64(CLIENT_ID + ":" + CLIENT_SECRET)
# Request a new access token using the POST:ed refresh token
http = Net::HTTP.new(SPOTIFY_ACCOUNTS_ENDPOINT.host, SPOTIFY_ACCOUNTS_ENDPOINT.port)
http.use_ssl = true
request = Net::HTTP::Post.new("/api/token")
request.add_field("Authorization", AUTH_HEADER)
encrypted_token = params[:refresh_token]
refresh_token = encrypted_token.decrypt(:symmetric, :password => ENCRYPTION_SECRET)
request.form_data = {
"grant_type" => "refresh_token",
"refresh_token" => refresh_token
}
response = http.request(request)
status response.code.to_i
return response.body
end
在xcode中,我會發布到http://#someIP:4567/swap或http://#someIP:4567/refresh
這樣安全嗎? 我可以正確處理嗎? 通過將請求發送到任何人都可以訪問的IP,我是否使自己和使用該應用程序的任何其他人有被竊取或查看其信息的危險?
HTTPS僅適用於域名。 不適用於IP。 如果僅使用IP,那么您將受到MITM攻擊,並且所有數據都是純文本在飛來飛去。 任何人都可以竊聽您的請求。 您在交換請求中有一個code參數,我想代碼是否正確? 如果是,最好獲取一些域名並使用aws route53進行設置。 然后購買一些便宜的SSL證書,將其與域關聯。 然后在iOS端,啟用HTTPS而不是HTTP與服務器通信。 這與您的Sinatra應用程序無關。
要了解有關SSL / HTTPS的更多信息,您可以查看一些類似這樣的初學者教程: http : //www.hongkiat.com/blog/ssl-certs-guide/
此IP,站點或移動應用程序無權使用此API密鑰。如何解決ios應用程序的這個問題?
[英]This IP, site or mobile application is not authorized to use this API key. How to fix this issue for an ios app?
如何抑制`警告:鏈接 dylib 對於在應用程序擴展中使用不安全`?
[英]How to suppress `warning: linking against dylib not safe for use in application extensions`?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.