如何将表单发布到我的服务器然后发布到API，而不是直接发布(出于安全原因)? [英] How to post form to my server and then to API, instead of posting directly(for security reasons)?

问题描述

与用于执行实时在线课程的API集成在一起. API希望我们将表单以及名为customer_token的参数作为输入字段发布到他们的站点.它用于API的身份验证，并且每个客户站点都分配了一个令牌.客户令牌实际上是域名或IP或某些东西的散列值.

There is an integration with an API for conducting live online classes. The API wanted us to post a form to their site along with a parameter called customer_token as an input field. It is used for authentication by the API and every customer site is assigned one token. The customer token is actually some hashed value of the domain name or IP or something.

现在，在集成之后，他们希望我以某种方式隐藏customer_token输入字段，以免通过Mozilla的Firebug和类似工具进行访问，因为任何人都可以看到令牌并将类似的形式发送给API并访问API的服务.不用说，该API不是由某些专家开发的.他们以前没有意识到这个问题，并且它不是一个广泛使用的API.

Now, after the integration, they want me to hide the customer_token input field somehow from being accessible through mozilla's firebug and similar tools, because anybody can see the token and send a similar form to the API and access the API's service. Needless to say, the API is not developed by some experts. They did not realize the issue before and it is not a widely used API.

我之前在

I asked a question previously on Best way to hide a form input field from being accessed using firebug? and realised that it is not possible to hide any information through a get/post method. Someone asked me about whether the request is directly being sent to the api, or first to my server or something?

请说明它如何解决安全问题以及如何实施?

Please explain how does it fix the security issue and how do I implement it?

谢谢， 桑迪潘

推荐答案

您可以POST到服务器，该服务器在脚本中将所有参数POST到API表单操作，但是在脚本中添加了customer_token，服务器端，客户端看不到.

You could POST to your server, which in a script, POSTs all the parameters to the API form action, but with the customer_token added in your script, server-side, which clients can't see.

所以，您的原始表格是

<form action="http://someapi.com/blah" method="POST">
    <input type="hidden" name="customer_token" value="foo">
    <input type="text" name="whatever">
    ...
</form>

并使用:

<form action="myapiblah.php" method="POST">
    <input type="text" name="whatever">
    ...
</form>

请注意，第二个示例中没有customer_token.然后，在myapiblah.php中-明显更改名称，尤其是根据您使用的服务器端语言.如果您告诉我使用的内容，我也许可以提供更具体的示例-使用类似以下的伪代码:

Note that there's no customer_token in the second example. Then, in myapiblah.php - change the name obviously, especially depending on the server-side language you're using. I might be able to provide more specific examples if you tell me what you use - use something like this psuedo-code:

parameters = $_POST;
parameters['customer_token'] = 'foo';
send_http_request('POST', 'http://someapi.com/blah', parameters);

您需要查找send_http_request所用内容的详细信息.

You'll need to look up the details of what to use for send_http_request.

在PHP中，如果可以在PECL中使用pecl_http内容，则可以执行以下操作:

In PHP, you'd do something like this, if you can use the pecl_http stuff in PECL:

$params = $_POST;
$params['customer_token'] = 'foo';

$req = new HttpRequest('http://someapi.com/blah', HttpRequest::METH_POST);
$req->addQueryData($params);
try {
    $r->send();
    if ($r->getResponseCode() == 200) {
        // success!
    }
    else {
        // got to the API, the API returned perhaps a RESTful response code like 404
    }
}
catch (HttpException $ex) {
    // couldn't get to the API (probably)
}

这篇关于如何将表单发布到我的服务器然后发布到API，而不是直接发布(出于安全原因)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！