隐藏用户的AuthToken [英] Hiding the AuthToken from the user

问题描述

我注意到当使用Speak时（使用Ajax.svc），wav / mp3的结果Uri包含AuthToken。这意味着用户可以在大约10分钟内使用我的AuthToken进行他们想要的任何TTS。我不喜欢那样。有没有办法获得没有在Uri中嵌入AuthToken的
wav / mp3流的链接？

I noticed that when Speak is used (using Ajax.svc), the resulting Uri for the wav/mp3 contains the AuthToken. That means the user can, for about 10 minutes, do any TTS they want with my AuthToken. I don't like that. Is there any way to get a link to the wav/mp3 stream that doesn't have the AuthToken embedded in the Uri?

基本上结果是

http：\ / \ / api.microsofttranslator.com \ / V2 \ / http.svc \ / Speak？appId = Bearer + mykindasecrettoken& text = tofu + is + tasty + to + eat& language = en& format = audio％2fwav& options = MaxQuality"

http:\/\/api.microsofttranslator.com\/V2\/http.svc\/Speak?appId=Bearer+mykindasecrettoken&text=tofu+is+tasty+to+eat&language=en&format=audio%2fwav&options=MaxQuality"

通过更改文本，他们可以进行hogwild 10分钟。他们也可以用它来翻译任意数量的经典文本。

By just changing the text they can go hogwild for 10 minutes. They can also use it to translate any number of classical texts at my expense.

推荐答案

您好Tofutim，

Hi Tofutim,

您可以在http标头中设置AuthToken 。使重用稍微困难。

you may set the AuthToken in the http header. Makes it slightly harder to reuse.

只要您在客户端进行转换程序请求，您将在客户端上以一种形式或另一种形式获得令牌。您唯一的保护是损坏限制为10分钟。

As long as you are making Translator requests client-side, you will have the token on the client, in one form or the other. Your only protection is that the damage is limited to 10 minutes.

您希望在递交令牌之前验证从您的服务器请求令牌的客户端是您的目标客户端，以便您知道客户确实在使用您的产品。

You want to verify that the client requesting the token from your server is your intended client before handing it a token, so that you know that the customer is indeed using your product.

当然，您可以提示，只需将译者回复的结果传递给客户。使用令牌机制，我们希望为您提供一种方法，使您不会让服务器成为所有内容的瓶颈，同时仍然可以安全地保护您的凭据。这与您在客户端上嵌入您的帐户凭据（客户端ID和密码）相反，而您不应该这样做。

Of course you could, as you hint, just hand the results of the Translator response to the client. With the token mechanism we wanted to give you a method that allows you to not have your server be the bottleneck for everything, while still being reasonably safe in protecting your credentials. That is as opposed to embedding your account credentials (client ID and secret) on the client, which you aren't doing, and should never do.

希望这会有所帮助，

Chris Wendt

Microsoft Translator

Hope this helps,
Chris Wendt
Microsoft Translator

这篇关于隐藏用户的AuthToken的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！