担保的RESTful API，可以使用Web应用程序（角），iOS和Android [英] Secured RESTful API that can be used by Web App (angular), iOS and Android

问题描述

我要制定出一个计划来开发一个RESTful API（Python的/瓶）可用于我们未来的Web应用程序（Angularjs）和移动应用程序（的iOS / Android的）。

我一直在研究了三天三所遇到的几种情况： 使用HTTPS是在下面的方法上面的一个方法来保持它的安全。但将HTTPS慢，这可能意味着我们需要更快更昂贵的服务器。

1. 使用基本-HTTP-验证并发送用户名/密码以明文（但https）上线的每个请求的API。
2. 使用摘要，验证，这是密码，并跟踪将自动这会工作，为Web应用程序的哈希值，但我无法证实，如果iPhone和Android将本地支持这一点。如果他们这样做，这可能是一个简单的解决方案！
3. 在使用自定义HTTP头，在那里我会在成功验证发送自定义验证字符串中的HTTP标头。但我必须确保我送这个AUTH code为该用户发出的每个请求。这使得它酷似1），不同的是普通的密码不用于与auth code可以在没有任何风险到期。也有问题是在auth code，它不再2自动为）
跟踪
4. 使用OAuth是一种选择。但其相当难以成立。如果没有更好的办法，也许这就是唯一的出路？
5. 如本伟大的文章。总之，他说，服务器和客户端都知道一个私钥，他们会使用散列沟通。它会像黑帮的握手，你只将信任交付的男孩，如果他知道了匪帮握手。再往下的意见有人问：

  

如何保持一个纯粹的HTML5应用程序中的私钥安全？

     

您是完全正确的;在纯HTML5（JS / CSS / HTML）的应用程序，   有没有保护的关键。你会做所有的通信通过   HTTPS在这种情况下，你不会需要一个关键的，因为你可以安全地   使用标准API_KEY或一些其他友好标识客户端   标识符没有HMAC的需要或复杂性。

所以，换句话说，甚至有没有一点使用方法排在首位的web应用程序中。老实说，我不知道应该怎么在移动设备上工作的。用户下载我们的应用程序和如何发送私钥从iPhone到服务器？我把它转移的那一刻，它会打折扣。

越多，我的研究更举棋不定我得到。

我希望能请教一些专业人士谁这样做了previously并可以分享他们的经验。非常感谢

解决方案

您似乎混淆/合并两个不同的概念在一起。我们开始谈论加密通信（HTTPS），然后我们开始谈论不同的方式来管理身份验证的会话。在安全应用中，这些不是相互排斥的任务。这里似乎也有可能是一场误会会话管理如何影响认证。在此基础上，我会提供基于Web应用程序/ Web API会话管理，身份验证和加密底漆。

简介

会话管理

HTTP事务是无状态的默认。 HTTP不指定任何让你的应用程序知道，一个HTTP请求已发送特定用户（认证与否）方法。

有关健壮的web应用程序，这是不能接受的。我们需要一种方法来在多个请求提出的请求和数据相关联。要做到这一点，在初始请求到用户需要分配一个会话服务器。一般会话具有某种独特的id被发送到客户端。客户端发送的会话ID与每个请求和服务器使用的每个请求发送的会话ID正确prepare对用户的响应。

要记住，会话ID可称为很多其他的事情是很重要的。这些的例子有：会话令牌，令牌等为了保持一致性，我将使用会话ID此响应的其余部分

。

从客户端每个HTTP请求需要包括会话ID;这可以通过许多方式来完成。最典型的例子是：

1. 可以存储在cookie中 - 饼干当前域是在每个请求自动发送
2. 可以在URL发送 - 每个请求可以发送会话ID的网址，不建议因​​为会话ID将留在历史上的客户端
3. 可以通过一个HTTP头发送的 - 每个请求都需要指定头

大多数Web应用程序框架使用Cookie。然而，依赖于JavaScript和单页设计的应用程序可以选择使用一个HTTP头/将其存储在其他位置也就是观察到由服务器。

这是非常重要的是要记住，该通知他们的会话ID和包含会话ID的客户机的请求的客户端的HTTP响应完全是纯文本和100％的不安全。为了战斗中，所有的HTTP流量需要进行加密;这正是HTTPS的原因。

同样重要的是要指出，我们还没有谈到会话链接到我们的系统中的特定用户。会话管理只是数据关联到进入我们的系统，一个特定的客户端。客户端可以在这两个认证未认证和国家，但在这两个州，他们通常有一个会议。

验证

认证是我们的会话链接到我们的系统中一个特定的用户。这通常是通过在用户设备的凭证，这些凭证进行验证的登录过程进行处理，然后我们在系统中的会话链接到一个特定的用户记录。

该用户又与权限通过访问控制列表和访问控制项（ACL和ACE）细粒度访问控制有关。这通常被称为授权。大多数系统总是有身份验证和授权。在一些简单的系统中的所有身份验证的用户都是在这种情况下，你会不会有授权过去简单的身份验证平等。更多相关信息，超出范围的这个问题，但考虑阅读ACE / ACL。

一个特定的会话可以被标记为重presenting以不同的方式通过身份验证的用户。

1. 在会话数据存储服务器端可以存储他们的用户ID /它表示，使用被认证为特定用户提供一些其他的标志
2. 在另一个用户令牌可以被发送到客户端，就像一个会话ID（它通过未加密的HTTP就是不安全的发送会话ID未加密）

无论哪种选择是好的。它通常归结为技术，你的工作在和他们所提供的默认。

一个客户端通常会启动认证过程。这可以通过发送凭据到特定的URL（如yoursite.com/api/login）来完成。但是，如果我们想成为REST风格，我们通常会引用资源的一些名词和做的创造的动作。这可以通过要求凭据yoursite.com/api/authenticatedSession/的POST来完成。凡想法是创建一个验证会话。大多数网站只是张贴凭据/ API /登录等。这是真或纯REST风格的理想出发，但大多数人觉得这是一个简单的概念，而不是想到它是创建一个验证会话。

加密

使用HTTPS加密客户端和服务器之间的HTTP流量。在依赖于经过验证和未经验证的用户的系统，它依赖于用户的所有流量进行身份验证需要通过HTTPS加密;有没有办法解决这个。

这样做的理由是，如果用户进行身份验证，与他们（他们的会话ID等）共享一个秘密，然后开始游行的秘密纯HTTP其会话可以劫持人在这方面的中间人攻击。黑客会等待的交通要经过一个观察网络，并窃取机密（因为它的纯文本通过HTTP），然后开始你的服务器pretending的连接是原来的客户端。

人们解决这一问题的方法是通过远程IP地址相关联的请求，经过身份验证的会话。这是无效的单独作为任何黑客将能够伪装它们的请求远程IP地址在其假请求，然后观察你断绝正在发回的响应。大多数人会认为这是不值得实施，除非你正在跟踪历史数据，并用它来识别特定用户的登录方式（如谷歌一样）。

如果您需要分割的HTTP和HTTPS部分之间你的网站，当务之急是对HTTP流量不发送或接收会话ID，或用于管理用户的身份验证状态的任何标记。同样重要的是，你不要在非HTTPS请求/响应发送敏感应用程序数据。

要保护Web应用程序中的数据的唯一方法/ API的是您的流量进行加密。

你的话题一个接一个

基本-HTTP-验证

• 验证：YES
• 会话管理：NO
• 加密：NO

这是由唯一的网络资源进行身份验证的方法。基本身份验证使用验证通过确定URL资源。这是最普遍被Apache HTTP Web服务器实现与使用基于目录的.htaccess /位置认证。凭证必须与每个请求一起发送;客户一般为用户处理这种透明的。

基本验证可以由其他系统的认证的方式。然而，利用基本-HTTP-验证系统所提供的认证和会话管理，而不是基本-HTTP-验证本身。

• 这不是会话管理。
• 这是不加密的;内容和证书近100％的纯文本
• 这并不保证应用程序的HTTP请求/响应的内容。

文摘 - 验证

• 验证：YES
• 会话管理：NO
• 加密：NO

这是完全一样的基本-HTTP-验证通过添加一些简单的MD5消化。这种消化不应该在而是采用加密依赖。

• 这不是会话管理。
• 这是不加密的;摘要容易破裂
• 这并不保证应用程序的HTTP请求/响应的内容。

的OAuth

• 验证：YES
• 会话管理：NO
• 加密：NO

OAuth的只是让你有一个外部服务验证凭据。之后，它是由你来与认证请求您的OAuth提供者的结果管理/工作。

• 这不是会话管理。
• 这是不加密的;您的网站的流量仍是纯文本。认证过程将是安全的，由于HTTPS的限制，但你的应用程序仍然是脆弱的。
• 这并不保证应用程序的HTTP请求/响应的内容。

大佬握手 / 自定义HTTP标头

• 认证：是，潜在
• 会话管理：是的，有可能
• 加密：NO

自定义HTTP头是一种大佬握手的;因此我将使用相同​​的部分进行讨论。唯一的区别是，自定义HTTP头的规定，其中hanshake（会话ID，令牌，用户认证托克等）将被存储（即在一个HTTP标头）。

要注意的是，这些没有指定如何认证将被处理，也不会指定如何会话管理将被处理是很重要的。他们基本上是描述如何以及在何处会话ID /认证令牌将被保存。

认证需要通过应用程序或通过第三方（如OAuth的）来处理。会话管理将仍然需要和实施。有趣的是，你可以选择两个合并，如果你想。

• 这是不加密的;您的网站的流量仍是纯文本。如果你使用OAuth，但你的应用程序仍然是脆弱的认证过程将是安全的，由于HTTPS的限制。
• 这并不保证应用程序的HTTP请求/响应的内容。

什么，你需要做

......我强烈建议你一定要明白，一个强大的Web应用程序，安全需要如下：

1. 加密（HTTPS是pretty的多少你唯一的选择）
2. 会话管理
3. 认证/授权

授权依赖于认证。认证依赖于会话管理和加密确保不会对会话进行劫持和凭据不会拦截。

烧瓶登录

我觉得你应该看看烧瓶登录作为一种方式，以避免重新实现车轮。我个人从来没有使用过（我在Python采用金字塔式的Web应用程序）。不过，我已经看到它在Web应用程序/蟒蛇板前面提到的。它可以处理认证和会话管理。通过HTTPS要把你的Web API /应用程序，你有三个（加密，会话管理，以及用户身份验证）。

如果你不/不能使用烧瓶登录，是ppared写你自己的，但首先做研究关于如何创建安全的认证机制$ P $。

如果可能的话，如果你不知道如何写一个认证过程，请不要尝试它没有先学习黑客如何使用模式的攻击，计时攻击等。

请加密您的交通

...招过去，你能避免使用HTTPS与一些聪明的标记使用的想法。搬过去，你应该避免使用HTTPS的想法/加密，因为缓慢，工艺精深，等，这是密集的过程，因为它是一种加密算法。必须确保你的用户的数据和应用程序数据的安全应该永远是最高优先级。你不想去通过通知用户他们的数据被破坏的恐惧。

I have to lay out a plan to develop a RESTful API (Python/Flask) that could be used by our future web app (Angularjs) and mobile apps (iOS/Android).

I have been researching for three days and have come across several scenarios: Using HTTPS is one way on top of the methods below to keep it safer. But https is slower, which could mean we need faster and more expensive servers.

1. Using Basic-Http-Auth and sending username/password in plain (yet https) over the wire for every request to the API.
2. Using Digest-Auth, which is a hash of the password and the tracking would be automatic This would work for the web app, however I wasn't able to confirm if iPhones and Android would support this natively. If they do, that could be an easy solution!
3. Using a custom http header, where I would send a custom Auth string in http header upon a successful authentication. But then I have to make sure I am sending this auth code for every request that the user makes. This makes it exactly like 1) with the difference that plain passwords aren't used and the auth code can expire without any risk. Also problematic is the tracking of the auth code, which is no longer automated as in 2)
4. Using OAuth is an option. But its quite difficult to set up. If there is no better way, maybe thats the only way?
5. Securing the API like Amazon S3 as described in this great article. In short, he says that both server and client would know of a private key, which they would use to hash the communication. It will be like gangster handshake, that you only would trust the delivery boy, if he knows the gangsta handshake. Further down the comments someone asks:

How to keep the private key "secure" in a pure HTML5 app ?

You are exactly right; in a pure HTML5 (JS/CSS/HTML) app, there is no protecting the key. You would do all communication over HTTPS in which case you wouldn’t need a key since you could safely identify a client using a standard API_KEY or some other friendly identifier without the need or complexity of an HMAC.

So in other words there is even no point of using the method for an web app in first place. And honestly I don't understand how this should work on the mobile device either. A user downloads our app and how do I send the private key from the iphone to the server? The moment I transferred it, it will be compromised.

The more I am researching the more indecisive I am getting.

I was hoping to ask some pros who have done this previously and could share their experience. Many Thanks

解决方案

You seem to be confusing/merging two different concepts together. We start of talking about encrypting traffic (HTTPS) and then we start talking about different ways to manage authenticated sessions. In a secure application these are not mutually exclusive tasks. There also seem to potentially be a misunderstanding how session management can impact authentication. Based on that I will provide a primer on web application/web api session management, authentication, and encryption.

Introduction

Session Management

HTTP transactions are stateless by default. HTTP does not specify any method to let your application know that a HTTP request has been sent from a specific user (authenticated or not).

For robust web applications, this is not acceptable. We need a way to associate requests and data made across multiple requests. To do this, on initial request to the server a user needs to be assigned a "session". Generally sessions have some kind of unique id that is sent to the client. The client sends that session id with every request and the server uses the session id sent in every request to properly prepare a response for the user.

It is important to remember that a 'session id' can be called many other things. Some examples of those are: session token, token, etc. For consistency I will use 'session id' for the rest of this response.

Each HTTP request from the client needs to include the session id; this can be done in many ways. Popular examples are:

1. It can be stored in a cookie - cookies for the current domain are automatically sent on every request.
2. It can be sent on the URL - each request could send the session id on the URL, not suggested since session ids will stay in the clients history
3. It can be sent via as a HTTP header - each request would need to specify the header

Most web application frameworks use cookies. However application that rely on JavaScript and single page designs may opt to use a HTTP header/store it in some other location that is observable by the server.

It is very important to remember that the HTTP response that notifies the client of their session id and the client's requests that contain the session id are completely plain text and 100% unsafe. To battle that, all HTTP traffic needs to be encrypted; that is where HTTPS comes in.

It is also important to point out we have not talked about linking a session to a specific user in our system. Session management is just associating data to a specific client accessing our system. The client can be in both authenticated and unauthenticated states, but in both states they generally have a session.

Authentication

Authentication is where we link a session to a specific user in our system. This is generally handled by a login process where a user supplies credentials, those credentials are verified, and then we link a session to a specific user record in our system.

The user is in turn associated with privileges for fine grained access control via access control lists and access control entries (ACL and ACE). This is generally referred to as "Authorization". Most system always have both Authentication and Authorization. In some simple systems all authenticated users are equals in which case you won't have authorization past simple authentication. Further information on this is out of scope for this question, but consider reading about ACE/ACL.

A specific session can be flagged as representing an authenticated user in different ways.

1. Their session data stored server side could store their user id / some other flag that denotes that the use is authenticated as a specific user
2. Another user token could be send to the client just like a session id (which over unencrypted HTTP is just as unsafe as sending a session id unencrypted)

Either option is fine. It generally comes down to the technology you are working in and what they offer by default.

A client generally initiates the authentication process. This can be done by sending credentials to a specific url (e.g. yoursite.com/api/login). However if we want to be 'RESTful' we generally would referencing a resource by some noun and doing the action of 'create'. This could be done by requiring a POST of the credentials to yoursite.com/api/authenticatedSession/. Where the idea would be to create an authenticated session. Most sites just POST the credentials to /api/login or the like. This is a departure from "true" or "pure" RESTful ideals, but most people find this a simpler concept rather than thinking of it as "creating an authenticated session".

Encryption

HTTPS is used to encrypt HTTP traffic between a client and server. On a system that relies on authenticated and unauthenticated users, all traffic that relies on a user being authenticated needs to be encrypted via HTTPS; there is no way around this.

The reason for this is that if you authenticate a user, share a secret with them (their session id, etc) and then begin to parade that secret in plain HTTP their session can be hijacked by man-in-the-middle attacks. A hacker will wait for for the traffic to go through an observed network and steal the secret (since its plain text over HTTP) and then initiate a connection to your server pretending to be the original client.

One way people combat this is by associating the requests remote IP address to an authenticated session. This is ineffective alone as any hacker will be able to spoof their requests remote IP address in their fake requests and then observe the responses your sever is sending back. Most would argue that this is not even worth implementing unless you are tracking historical data and using it to identify a specific user's login patterns (like Google does).

If you need to split up your site between HTTP and HTTPS sections, it is imperative that the HTTP traffic does not send or receive the session id or any token used to manage the authentication status of a user. It is also important that you do not send sensitive application data within non-HTTPs requests/responses.

The only way to secure data within web applications/APIs is to encrypt your traffic.

Your Topics One By One

Basic-Http-Auth

• Authentication: YES
• Session Management: NO
• Encryption: NO

This is a method for authenticating by web resource only. Basic authentication authenticates uses by resource identified by URL. This was most popularly implemented by Apache HTTP Web Server with the use of .htaccess based directory/location authentication. Credentials have to be sent with each request; clients generally handled this transparently for users.

Basic authentication can be used by other systems as a mode of authentication. However, the systems that utilize Basic-Http-Auth are providing authentication and session management, not the Basic-Http-Auth itself.

• This is not session management.
• This is not encryption; content and credentials are nearly 100% plain text
• This does not secure the contents of the application's HTTP request/responses.

Digest-Auth

• Authentication: YES
• Session Management: NO
• Encryption: NO

This is exactly the same as Basic-Http-Auth with the addition of some simple MD5 digesting. This digesting should not be relied upon instead of using encryption.

• This is not session management.
• This is not encryption; the digest is easily broken
• This does not secure the contents of the application's HTTP request/responses.

OAuth

• Authentication: YES
• Session Management: NO
• Encryption: NO

OAuth just lets you have an external service validate credentials. After that it is up to you to manage/work with the result of authentication request to your OAuth provider.

• This is not session management.
• This is not encryption; your sites traffic is still plain text. The authentication process will be secure due to HTTPS restrictions, but your application is still vulnerable.
• This does not secure the contents of the application's HTTP request/responses.

Gangster Handshake / Custom HTTP header

• Authentication: YES, potentially
• Session Management: YES, potentially
• Encryption: NO

"Custom HTTP header" is a type of "Gangster Handshakes"; as such I will use the same section to discuss them. The only difference is that a "Custom HTTP header" is specifying where the hanshake (session id, token, user authentication toke, etc) will be stored (i.e. in a HTTP header).

It is important to note that these do not specify how authentication will be handled, nor do they specify how session management will be handled. They essentially describe how and where session ids/authentication tokens will be stored.

Authentication would need to be handled by your application or via a third party (e.g. OAuth). Session management will still need to be implemented as well. The interesting thing is you can choose the merge the two if you wish.

• This is not encryption; your sites traffic is still plain text. The authentication process will be secure due to HTTPS restrictions if you use OAuth, but your application is still vulnerable.
• This does not secure the contents of the application's HTTP request/responses.

What You Need To Do

...I highly suggest you make sure that you understand that a robust web application that is secure needs the following:

1. Encryption (HTTPS is pretty much your only choice)
2. Session Management
3. Authentication / Authorization

Authorization relies upon Authentication. Authentication relies upon Session Management and Encryption makes sure the session isn't hijacked and that the credentials are not intercepted.

Flask-Login

I think you should look into flask-login as a way to avoid re-implementing the wheel. I have personally never used it (I use pyramid for web applications in python). However, I have seen it mentioned before in web application/python boards. It handles both authentication and session management. Throw your web api/application through HTTPS and you have all three (Encryption, Session Management, and User Authentication).

If you do not / can not use flask-login, be prepared to write your own, but do research first on how to create secure authentication mechanisms.

If at all possible, if you do not understand how to write an authentication procedure please do not attempt it without first learning how hackers use pattern based attacks, timing attacks, etc.

Please Encrypt Your Traffic

...move past the idea that you can avoid using HTTPS with some "clever" token use. Move past the idea that you should avoid using HTTPS/encryption because "its slow", process intensive, etc. It is process intensive because it is an encryption algorithm. The need to ensure the safety of your user's data and your applications data should always be your highest priority. You do not want to go through the horror of notifying your users that their data was compromised.

这篇关于担保的RESTful API，可以使用Web应用程序（角），iOS和Android的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！