如何从AngularJS网站安全地连接到Web API [英] How to securely connect to a web api from a AngularJS site

问题描述

在Web开发方面相对较新，至少使用诸如AngularJS框架之类的客户端技术，我需要先解决一些查询，然后才能开始我的最新项目.

Being relatively new to web development, at least using client side technologies such as the AngularJS framework, I need to resolve a few queries before I can start my latest project.

我正在使用AngularJS编写一个应用程序，该程序读取/写入/更新数据库中的数据.在使用javascript作为客户端的情况下，我选择编写一个PHP REST API来进行数据库查询，从而获得安全的用户名和密码以及一个数据库层.

I am writing an application using the AngularJS which reads/writes/updates data in a database. With javascript being client side I have chosen to write a PHP REST API to do the database queries, resulting in a secure username and password and a single database layer.

我的问题是，鉴于我的REST API，我将使用javascript(客户端)中的AJAX来调用方法.如何停止其他站点编写脚本来调用REST API?将身份验证令牌放在javascript代码中并不是很安全，有人可以将其复制.

My question is, given my REST API, I will be using AJAX from javascript (which is client side) to invoke methods. How do I stop other sites from writing a script to invoke the REST API as well? Putting an authentication token in the javascript code isn't very secure, someone can just copy it.

REST API是否是解决此问题的最佳方法?我不反对学习新技术或实践，因此，请大家对更好的设计模式或实施方法的任何想法表示赞赏.不幸的是，由于我在该领域的知识有限，因此我在 Google搜索上没有取得丰硕的成果，因为我对应该使用的搜索术语不确定.

Is a REST API the best approach for this problem? I am not adverse to learning new technologies or practices so please, any thoughts on better design patterns or methods of implementation are greatly appreciated. Unfortunately, due to my limited domain knowledge in this area, I have been unfruitful in my Google Searches as I'm not confident of the terms under which I should be searching.

非常感谢.

推荐答案

由于Angular应用程序位于浏览器中，因此需要从任何随机访问者的浏览器公开访问REST API.因此，您不必使用公共API.您不能限制它；访客可以看到数据，或者他们看不到.

Since your Angular application is living in the browser, your REST API will need to be publicly accessible from any random visitor's browser. You thereby have a public API, out of necessity. You can't restrict it; either visitors can see the data or they can't.

从本质上讲，这与传统网页没有太大区别.在服务器端生成的页面中，您输出打包为HTML的数据并将其传递给任何要求的人.在REST-API/Angular应用中，您可以将打包为JSON的数据交付给任何要求的人.无论哪种方式，数据都是同等公开的，尽管REST API可能比抓取HTML更容易滥用".如果要避免某人直截了当地吸干您的所有数据库，则考虑采用一些用户行为跟踪和限制措施可能会很有用；这与常规网页一样，同样适用于基于JSON的REST API.

Essentially this is not significantly different from a traditional webpage though. In a server-side generated page, you output your data packaged as HTML and deliver it to anyone who asks. In a REST-API/Angular app, you deliver the data packaged as JSON to anyone who asks. Either way the data is equally public, though maybe the REST API is a little easier to "abuse" than scraping the HTML would be. It may be useful to deliberate employing some user behaviour tracking and throttling, if you want to avoid someone outright sucking all of your database dry; this applies equally to JSON based REST APIs as it does to regular web pages.

如果您还以这种方式公开 read/ write API，则当然很容易受到滥用.

If you're also exposing read/write APIs this way, you're of course wide open to abuse.

使API不公开的唯一方法是要求密码认证.如果必须登录您站点的用户，则可以将API限制为具有有效会话的任何人.如果有人可以在您的站点上简单地注册一个帐户，这对事情的授予方案没有多大帮助，但是与完全开放的API相比，它需要更多的审议工作并提供更多的可管理性.

The only way to make an API non-public is to require password authentication. If the users of your site must be logged in, then you can restrict the API to anyone with a valid session. This doesn't help much in the grant scheme of things if anyone can simply register an account on your site, but it needs more deliberation and provides slightly more manageability than a completely open API.

仅管理员专用的API当然必须以这种方式进行保护，要求只有您具有凭据的帐户.

Admin-only APIs of course must be protected in this way, requiring an account which only you have the credentials to.

这篇关于如何从AngularJS网站安全地连接到Web API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！