角REST API安全 [英] Angular REST API security

问题描述

我有我的应用程序的问题，当我用角来使用REST API请求

I have issue with my app when I use Angular to consuming REST API request

Web服务的URL存储在服务角或控制器JS文件
所以，如果我已经登录Web服务来检查像USENAME和密码：

The Web Service URLs store in the Angular service or controller js file so if I have Login web service to check usename and password like:

http://mylocal.com/api/service.json？ api_user =用户名和放大器; API_KEY =密码

最终用户和开发者可以得到这个URL，并建立一个软件来尝试寻找用户名和密码，因此如何隐藏JS角Web服务的URL是否可能？

The end users or developers can get this url and build a software to try finding the username and password, so how to hide the web services urls in angular js if that possible?

例如：

$scope.submit = function(request) {
        $scope.contactUsSuccess = false;
        $http.post('/_/contactUs' +
                "?firstName=" + encodeURIComponent(request.first) +
                "&lastName=" + encodeURIComponent(request.last) +
                "&email=" + encodeURIComponent(request.email) +
                "&phone=" + encodeURIComponent(request.phone) +
                "&company=" + encodeURIComponent(request.company) +
                "&message=" + encodeURIComponent(request.message)

            ) // Contact us
            .success(function(reply){
                console.log(reply);
                $scope.contactUsSuccess = true;
                $scope.contactUs = "";
            })
            .error(function(){
                alert('There seemed to be a problem with your submission. Please refresh the page and try again.')
            });
    };

您可以联系网址Web服务，使用它，所以我怎么能解决这个问题呢？

You can get the contact url web service and use it, so how can i solve this issue?

推荐答案

首先，这是非常糟糕的，如果你这样做了 HTTP 并没有 HTTPS 。发送此通过HTTP发送您的凭据text / plain的任何人都可以嗅出抢在网络上。

First off this is really bad if you're doing this over HTTP and not HTTPS. Sending this over HTTP sends your credentials in text/plain for anyone to sniff and grab on the network.

我假设他们不使用特定的防火墙规则，无论是。

I'm assuming they are not using specific firewall rules either.

由于您处理的REST端点，可以发起REST调用在几个不同的方式：

Because of the REST endpoint you're dealing with, you could initiate the REST call in a few different ways:

1. 设置有它的pre定义的用户名/密码对的HTTP（S）代理。通过这种方式，而不是调用 https://someremoteapp.com/user=joe&pass=test你可以调用/休息


2. 可能是更好的选择是建立一个后端代理服务，此API工作和隐藏后端的凭据。为此，您可以使用类似PHP和Ruby，Python和Node.js的...


3. 最好的办法是问他们是否支持其他安全机制。

1. Setup an HTTP(S) proxy that has that pre-defined username/password pair in it. That way instead of calling https://someremoteapp.com/user=joe&pass=test you could call /rest
2. Probably the better option is to setup a back-end forwarder service to work with this API and hide the credentials on the back-end. You can do this using something like PHP, Ruby, Python, Node.JS...
3. Best option is to ask if they support other security mechanism.

这篇关于角REST API安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！