如何从仅使用 facebook 登录的应用程序安全地提交分数? [英] How to submit scores securely from app that uses only facebook login?
问题描述
我们的安卓应用只有facebook登录.
这是服务器中发生的事情:
Here's what happens in server:
使用 facebook 的用户访问令牌在正文中发送 POST 请求时创建用户.
每当通过 POST 请求创建用户时,都会生成一个 api 令牌并将其作为响应发送,如下所示:
Whenever a user gets created via POST request, an api token is generated and sent as a response as follows:
{"message":"User Successfully Created","api_token":"ACITyBKf0jKrfqOFumTMcaEEJ8jU151crRdESMPmBj8zbeENslULHfNXlKeo"}
我这样做是因为在服务器中生成的api令牌存储在android应用程序的本地存储中,并且需要进行其他请求.
I did this because the api token that is generated in the server is stored in android app's local storage and is needed to make other requests.
现在,如果用户已经存在于服务器中,响应将是
Now, if the user already exists in the server, the response would be
{"message":"User Already Exists!!","api_token":"ACITyBKf0jKrfqOFumTMcaEEJ8jU151crRdESMPmBj8zbeENslULHfNXlKeo"}
这是为了防止用户删除应用并重新安装.
This is in case the user deletes the app and installs again.
现在,要提交分数,将发送 PATCH 请求:
Now, to submit score, a PATCH request is to be sent with:
标题:
Content-Type:application/x-www-form-urlencoded
api_token:ACITyBKf0jKrfqOFumTMcaEEJ8jU151crRdESMPmBj8zbeENslULHfNXlKeo
fb_id:xxxxxxxxxx
身体:
distance:2
golds:19
xp:23
(注意:我使用邮递员测试了上述请求)
(Note: I tested the above request using postman)
现在,问题是我发现了一个漏洞.
一个人可以随时找到他们的 facebook 用户访问令牌和他们的 facebook id.因此,如果他们使用该用户访问令牌发出 POST 请求,他们将收到 api_token(在用户已经存在!!"响应中).一旦他们有了 api_token 和 fb_id,他们就可以发出 PATCH 请求来修改他们想要的任何分数.
A person can find out their facebook user access token and their facebook id anytime. So, if they make a POST request with that user access token, they will receive the api_token (In the "User Already Exists!!" response). And once they have api_token and fb_id, they can make a PATCH request to modify their scores to whatever they want.
我做错了什么?我怎样才能保护我的服务器免受这样的黑客攻击?
What am I doing wrong? How can I secure my server from being hacked like this?
请帮帮我.我是 api 设计的初学者.
Please help me. I am a beginner in api design.
谢谢
推荐答案
如果他们的 API 令牌在应用程序中可供他们使用,那可能是一件坏事.如果他们在应用中无法使用它,假设他们只是伪造应用内 POST 请求并检索原始数据,那么他们可能是在尝试入侵或渗透系统.
If their API token is available to them in the app at all, that's probably a bad thing. If its not available to them in the app, say they're just forging in-app POST requests and retrieving the raw data, then they're probably trying to hack or pentest the system.
如果是这种情况,首先通过 POST 发送未加密的 API 密钥可能是个坏主意.如果他们的 API 密钥是他们开始对您的系统做坏事所需的全部,那为什么首先要给他们呢?
If that's the case, maybe sending the unencrypted API key via POST in the first place is a bad idea. If their API key is all they need to start doing bad things to your system, why ever give it to them in the first place?
因为您的应用需要它来记住它们.这样的事情怎么样:
Because your app needs it to remember them. What about something like this:
新用户,服务器 md5 散列他们的 API 密钥并将其发送给他们进行存储.现有用户,服务器 md5 散列他们的 api 密钥并将其发送给他们进行存储(如果需要)官方现有分数发生变化:app re-md5 对已经散列的 api 密钥进行散列,与 PATCH 请求一起发送.服务器具有带有双重散列 api 密钥的数据库,它会找到您的密钥并将您标识为用户,然后一切正常进行.
New user, server md5 hashes their API key and sends it to them to be stored. Existing user, server md5 hashes their api key and sends it to them to be stored (if needed) Official Existing Score change occurs: app re-md5 hashes the already hashed api key, sends that with the PATCH request. Server has database with doubly hashed api keys which it finds yours and identifies you as the user, and things go on normally from there.
这篇关于如何从仅使用 facebook 登录的应用程序安全地提交分数?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
