使用服务器为客户端隐藏 YouTube API [英] Hiding YouTube API for client using server

问题描述

由于缺乏经验，我无法理解如何隐藏 API 密钥.抱歉，我已经 15 年没有从事 Web 开发了，因为我专注于关系数据库，并且发生了很多变化.

My inexperience has left me short of understanding how to hide an API Key. Sorry, but I've been away from web development for 15 years as I specialized in relational databases, and a lot has changed.

我阅读了大量文章，但不明白如何利用它们.我想将我的 YouTube API 密钥放在服务器上，但让客户端能够在不公开的情况下使用它们.我不明白如何在我的服务器(提供 ISP)上设置 API 密钥使客户端能够访问与项目关联的 YouTube 频道.有人可以向我解释一下吗?

I've read a ton of articles, but don't understand how to take advantage of them. I want to put my YouTube API key(s) on the server, but have the client able to use them w/o exposure. I don't understand how setting an API Key on my server (ISP provided) enables the client to access the YouTube channel associated with the project. Can someone explain this to me?

推荐答案

我不确定您想要做什么，但对于我参与的一个项目，我需要从 YouTube 获取特定的播放列表并将内容公开给访问者网站.

I am not sure what you want to do but for a project I worked on I needed to get a specific playlist from YouTube and make the contents public to the visitors of the website.

我所做的是一种代理.我设置了一个包含 api 密钥的 php 文件，然后让最终用户通过这个 php 文件获取 YT 内容.

What I did is a sort of proxy. I set up a php file contains the api key, and then have the end user get the YT content through this php file.

php 文件使用 curl 从 YT 中获取内容.

The php file gets the content form YT using curl.

希望能帮到你.

编辑 1

隐藏密钥的方法是将其放在服务器上的PHP文件中.这个 PHP 文件将连接到 youtube 并在您的客户端页面上检索您想要的数据.

The way to hide the key is to put it in a PHP file on the server. This PHP file will the one connecting to youtube and retrieving the data you want on your client page.

此代码示例，使用正确的 api 密钥和正确的播放列表 ID 将获得一个包含播放列表前 10 首曲目的 json 文件.

This example of code, with the correct api key and correct playlist id will get a json file with the 10 first tracks of the play list.

$resp 将包含 json 数据.要提取它，必须将其解码为例如关联数组.一旦进入数组，它就可以很容易地混合到将在客户端浏览器上呈现的 html 中.

The $resp will have the json data. To extract it, it has to be decoded for example into an associative array. Once in the array it can be easily mixed in to the html that will be rendered on the client browser.

<?php        
        $apiKey = "AIza...";
        $results = "10";
        $playList = "PL0WeB6UKDIHRyXXXXXXXXXX...";


        $request = "https://www.googleapis.com/youtube/v3/playlistItems?part=id,contentDetails,snippet&maxResults=" . $results . 
                   "&fields=items(contentDetails%2FvideoId%2Cid%2Csnippet(position%2CpublishedAt%2Cthumbnails%2Fdefault%2Ctitle))" .
                   "&playlistId=" . $playList . 
                   "&key=" . $apiKey;



        $curl = curl_init();
        curl_setopt_array($curl, array(
            CURLOPT_RETURNTRANSFER => true,
            CURLOPT_URL => $request,
            CURLOPT_SSL_VERIFYPEER => false
        ));    

        $resp = curl_exec($curl);


        if (curl_errno($curl)) {
            $status = "CURL_ERROR";
        }else{
            // check the HTTP status code of the request
            $resultStatus = curl_getinfo($curl, CURLINFO_HTTP_CODE);
            if ($resultStatus == 200) {
                $status = "OK";
                //Do something with the $resp which is in JSON format.
                //Like decoding it into an associative array
            } else {
                $status = "YT_ERROR";
            }
        }

        curl_close($curl);
?>
<html>
<!-- your html here -->
</html>

注意:CURLOPT_SSL_VERIFYPEER 设置为 false.这是在开发中.对于产品，它应该是真的.

Note: CURLOPT_SSL_VERIFYPEER is set to false. This is in development. For prod it should be true.

另请注意，以这种方式使用 api，您可以限制对 api 密钥的调用，将它们绑定到您的域.您可以在 googla api 控制台中执行此操作.(制作提示)

Also note that using the api this way, you can restrict the calls to your api key bounding them to your domain. You do that in the googla api console. (Tip for production)

这篇关于使用服务器为客户端隐藏 YouTube API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！