如何保护JavaScript API访问令牌? [英] How to secure the JavaScript API Access Token?
问题描述
有许多在线资源提供JavaScript API来访问他们的服务。为了更清楚,我将基于 MapBox 的示例提出我的问题,但这很适用于其他许多服务。各种域。
There are numerous online resources which provide JavaScript APIs to access their services. To be more clear, I will base my question on the example of MapBox, but this applies well to many other services in various domains.
当有人想在Web应用程序中使用这样的服务时(例如MapBox的地图图像),他们通常需要注册/注册获取访问令牌以访问该服务。
When someone wants to use such a service in a web application (like the map imagery from MapBox for example), they typically need to Register/Sign Up and obtain an access token to access the service.
现在,如果我从服务器端使用API - 没有问题:我知道我的令牌安全地存储在服务器的某个地方,并且只是暴露在我的服务器和服务提供商之间进行通信。但是,如果是JavaScript API(例如,如果我使用 Leaflet 从MapBox渲染地图),我认为在暴露给用户的网络浏览器的JavaScript中拥有我的访问令牌 - 这样就可以非常轻松地找到某人的访问令牌。在我的例子中,只需使用Leaflet访问任何网站并在Firefox中打开开发工具,就可以在一分钟细致地阅读他们的JavaScript代码时显示他们使用的令牌。
Now, if I would use the API from the server side - there is no issue: I know my token is stored securely somewhere on the server and is only "exposed" upon communication between my server and the service provider. However, in case of a JavaScript API (for example if I use Leaflet to render a map from MapBox), I am supposed to have my access token in a JavaScript which is exposed to the user's web browser - and so it makes it extremely easy to find someone's access token. In my example, simply going to any website using Leaflet and opening "Dev Tools" in Firefox reveals the token they use in a minute of attentive reading of their JavaScript code.
然而,对于我来说,这个标记应被视为非常安全的数据 - 根据此令牌提供的身份验证来跟踪服务使用情况。如果您根据其使用情况支付服务费用就变得非常关键,但即使您没有(例如,如果您使用免费/入门/非付费计划) - 服务使用有限,我想确定只有我使用它。
This token however, as for me, should be considered as a very secure data - service usage is tracked based on the authentication this token provides. If you pay for the service based on its usage it becomes very critical, but even if you don't (like, if you use a Free/Starter/Non Paid plan) - service usage is limited and I'd like to be sure it is only me who uses it.
显然,服务提供商有类似IP /域过滤的策略,但似乎并非所有服务提供商都支持这种策略 - 例如,MapBox没有似乎(或者我没有找到它)。或者,最终,我可以通过我的网络服务器代理该服务,但这非常重。
Clearly, there are strategies like IP/domain filtering by service provider, for example, but it doesn't seem that all service providers support this - for example, MapBox doesn't seem to (or I didn't find it). Or, ultimately, I can proxy the service via my web server, but this is super heavy.
鉴于这一切 - 是否有办法保护所使用的访问令牌用于访问外部服务的JavaScript API,前提是JavaScript是在用户的浏览器中执行的吗?
Given all that - is there a way to secure the access token used by a JavaScript API to access an external service, provided that JavaScript is executed in a user's browser?
推荐答案
限制访问权限CORS
让您的Web服务器通过CORS设置从您的javascript请求返回访问令牌。可以使用此方法访问您的应用程序捕获令牌。
Make your web server return the access tokens on an ajax request from you javascript with CORS setup. Token can be captured with this method visiting your app.
向授权用户提供代币
您还可以在网络服务器上添加身份验证为您允许的用户提供有限的访问权限。可以使用此方法捕获令牌,但只能由授权用户捕获。
You can also add authentication on your webserver to provide limited access to the users you allow. Token can be captured with this method but only by authorized users.
代理请求
完全保护该令牌的唯一方法是代理通过您的服务器的请求。使用此方法无法捕获令牌。
The only way to completely protect that token is to proxy the requests through your server. Token cannot be captured with this method.
这篇关于如何保护JavaScript API访问令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
