有没有安全的方法来管理API密钥? [英] Is there a safe way to manage API keys?

问题描述

我在我的应用程序中使用了 API .我目前正在通过Java接口管理API密钥

I am using an API within my app. I currently manage the API key from a java interface

public interface APIContract {
    //The API KEY MUST NOT BE PUBLISH. It is possible to generate a new one for free from www.themoviedb.org
    //Remove before commit !!!
    String API_KEY = "abcdefghijklmnopqrstuvwxyz";
    /...
}

完成这项工作.我可以使用APIContract.API_KEY访问密钥，但是正如您在注释中看到的那样，如果我使用git和公共存储库(我不打算发布此密钥)，这是不安全的.

This do the job. I can access the key using APIContract.API_KEY, but as you can see in the comment this is not safe if I use git and a public repository (I am not suppose to publish this key).

所以这是我的问题:是否可以将密钥移到可以从我的应用程序轻松访问但不会提交的其他位置?

So here is my question : is it possible to move this key in another place which I can easily access from my app but which will not be committed ?

我发现了这个线程使用gradle来存储密钥，但是我需要提交build.gradle文件，以便它不能完成任务.

I found this thread which use gradle to store the key, but I need to commit the build.gradle file so it does not do the job.

有人知道如何解决这个问题吗?我没有在stackoverflow中找到类似的问题，但也许我错过了一些事情

Does someone know how to solve this problem ? I did not find similar problem in stackoverflow but maybe I missed something

编辑 我喜欢将密钥移到任何Java代码之外的想法，因为其他人(可能是非技术人员)可以轻松地管理自己的密钥.我当时正在考虑使用settings.gradle这样的gradle文件.

EDIT I love the idea of moving the key outside any java code because other people (maybe non technical people) can easily manage their own key. I was thinking about using a gradle file like settings.gradle.

推荐答案

这里是另一种方式:

将API密钥放置在构建机器/服务器可访问的文件中，我们将其称为:

Place the API key in a file accessible to the build machine/server, we'll call it:

/usr/api_user/api_key1

带有内容:

myApiKey = abcdefghijklmnopqrstuvwxyz

您现在将使用"BuildConfig" gradle对象访问它.修改您的代码为此:

You will now access it using the `BuildConfig' gradle object. Modify your code to this:

public interface APIContract {
    //The API KEY MUST NOT BE PUBLISH. It is possible to generate a new one for free from www.themoviedb.org
    //Remove before commit !!!
    String API_KEY = BuildConfig.MY_API_KEY;
    /...
}

然后在build.gradle中，添加如下内容:

Then in your build.gradle, add something like this:

buildConfigField "String", "MY_API_KEY", getMyApiKey("myApiKey")

并添加以下内容:

//return a MY API KEY from a properties file.
def getMyApiKey(String property){
    Properties properties = new Properties()
    properties.load(new FileInputStream("/usr/api_user/api_key1"))
    return "\"" + properties.getProperty(property) +"\""
}

如您所知，您可以重新定位API目录位置，以使其不属于您的存储库.当然，然后它将具有用于构建的文件系统依赖性...您可以在CI/CD环境(可能是诸如Jenkins之类的工具)中设置列表，以将构建文件复制到私有存储库中，以进行备份.

You can relocate the API directory location, as you can tell, so that it is not a part of your repo. Of course, then it will have file system dependencies for the build... which you could have a list setup in a CI/CD environment (maybe a tool like Jenkins) to replicate the build files to a private repo, for backup purposes.

这篇关于有没有安全的方法来管理API密钥?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！