安全的node.js restful API [英] Secure node.js restful API

问题描述

我想获得一个宁静的Api，我想尽可能保持简单，以及无国籍。

I'd like to secure a restful Api, and I'm trying to keep it as simple as possible, as well as being stateless.

什么是存储，生成和验证api密钥的最佳方式？我正在考虑使用node-uuid生成密钥，将它们存储在redis中，然后使用passport-apikeys对它们进行身份验证。

What is the optimal way to store, generate, and authenticate api keys? I was thinking about generating keys with node-uuid, storing them in redis, and then authenticating them with passport-apikeys.

这会有效吗？或者是否有另一个我缺少的最佳解决方案。

Would this work? Or is there another optimal solution that I'm missing.

我一直在阅读这个数量很多，但很多资源都缺少实际的实现，比如这个发布

I have been reading up on this a good amount, but a lot of resources are missing the actually implementation, like this post

推荐答案

你的解决方案对我来说听起来不错，但恐怕不够安全。我建议您使用密钥签署请求，以便保护您的API免遭篡改。所以你需要生成一个密钥对，假设访问id 和访问密钥，对于要去的用户使用您的API。 HTTP请求将包含两个部分，一个是访问ID ，另一个是通过访问密钥计算整个请求内容的签名。但访问密钥绝不应该通过HTTP传递。因此，在服务器端，您可以通过Redis中存储的访问密钥检查HTTP请求的签名。

Your solution sounds OK to me, but not that secure enough I'm afraid. I'd like to suggest you sign the request with the key, so that you can protect your API from tampering. So you need to generate a key pair, let's say access id and access key, to the user who is going to use your API. The HTTP request will have two sections, one is the access id, the other is a signature that calculate the whole request content by the access key. But access key should never by passed through HTTP. So in server side you can check the signature of the HTTP request by the access key stored in Redis.

您可以使用Node.js加密模块。 http://nodejs.org/api/crypto.html#crypto_class_hmac

You can use Node.js Crypto module for this. http://nodejs.org/api/crypto.html#crypto_class_hmac

希望这有点帮助。

这篇关于安全的node.js restful API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！