如何在RESTful API中处理敏感属性(例如密码，信用卡等) [英] How to handle sensitive properties in a RESTful API (such as passwords, credit cards, etc)

问题描述

致力于支持多种超媒体类型和身份验证的REST框架.我不太确定如何处理资源中的敏感值的一件事.例如，如果要在API中包括用户管理，则需要一种方法向客户端公开密码字段，但不显示实际的密码哈希.用信用卡也是一样.如果我不这样做，那将违反超媒体约束，因为对这些领域的了解会变得束手无策，并使我的HATEOAS失效.

Working on a REST framework that will support multiple hypermedia types and authentication. One thing I'm not really sure how to handle are sensitive values in the resources. For instance, if I were to include user management in the API, I would need a way to expose to the client that there was a field for the password, but not show the actual password hash. Same thing with a credit card. If I don't, it would violate the hypermedia constraint as knowledge of the fields would become out of band, and make my HATEOAS broken.

这是我遇到的一个实际用例:

Here's an actual use case that I've encountered:

该项目是一个向人们展示的目录，以便其他人可以雇用他们.有两种类型的用户:具有配置文件的用户和没有配置文件的用户.对于用户而言，围绕资源的设计将是/users/{userid}，并且将包含/users/{userid}/profile或/profile/{profileid}，其中将包含指向用户的链接，以便客户端可以获得诸如用户名之类的信息.此外，用户将能够将信用卡存储在/users/{userid}/creditcards/{creditcardid}.

The project is a directory of people that showcases them so others can hire them. There are two types of users: those with profiles, and those without. The design around the resources would be /users/{userid} for a user and /users/{userid}/profile or /profile/{profileid} which would include a link back to the user so the client could get things like the user's name, etc. Also, the user would be able to store a credit card at /users/{userid}/creditcards/{creditcardid}.

要显示用户的个人资料，您还需要用户资源才能访问名称和其他内容.我们不希望在用户资源或信用卡链接上公开用户密码.我想我可以隐藏信用卡链接而没有任何问题，但是我不确定密码字段.我应该只向授权用户公开它，而不在其他用户模型上公开它吗?我应该指出，除非经过身份验证和授权，否则用户只能使用GET.

To display a user's profile, you would also need the user resource to have access to the names and whatnot. What we don't want is to expose the user's password on the user resource, or the credit card links. I think I can just hide the credit card links without any issues, but I'm not sure about the password field. Should I just expose it for the authorized user, but not on the other user models? I should mention that only GET is allowed on users unless authenticated and authorized.

一个奇怪的极端情况会强调这一点，那就是您可以部分访问更改的对象.假设您是一个低级管理员，可以更改用户的名称和地址，但不能更改密码.由于您无权访问，因此无法公开密码字段.如何对没有所有字段的资源执行PUT键?在这种情况下，我应该只使用PATCH吗?

One weird edge-case that would emphasize this would be an object you have partial access to change. Say you were a low level admin who had access to change the user's name and address, but not password. Since you don't have access, you can't expose the password field. How can I do a PUT to a resource that I don't have all the fields to? Should I just use PATCH in those cases?

TL; DR:如何正确隐藏/公开REST API中的字段并遵循超媒体约束?

TL;DR: How do I properly hide/expose fields in a REST API and also follow the hypermedia constraints?

推荐答案

首先，在存在敏感信息时始终使用SSL.如果您使用SSL，则您的请求将被加密.甚至URL也通过网络加密.但是，在很多其他地方，这些相同的URL可能会以明文形式记录(例如，代理服务器，负载平衡器，dns服务器)，因此重要的是不要在URL中放置任何敏感信息.

First, always use SSL when there is sensitive information. If you use SSL, your request will be encrypted. Even the URLs are encrypted over the network. However, there are lots of other places where those same URLs may be logged in clear text (e.g. proxy servers, load balancers, dns servers), so it's important not to put any sensitive information in the URL.

那对您的REST API意味着什么?好吧，首先，不要在ID中使用敏感信息.您的信用卡号可能是唯一的，但请勿将其用作卡的标识符.

So what does that mean for your REST API? Well, first of all, don't use sensitive information in IDs. Your credit card number may be unique, but don't use that as the identifier of the card.

此外，获取资源时切勿返回密码.您应该在服务器上过滤掉这类信息.您可以在请求正文中接受它，但永远不要在响应正文中将其发送回去.

Also, never return a password when getting a resource. You should be filtering this type of information out at the server. You can accept it in a request body but it should never be sent back in a response body.

对于其他奇怪的情况，PATCH还不是标准.直到成为一体，我已经看到很多人使用POST进行部分资源更新. POST不必是幂等的，因此实际上很有意义.因此，POST是部分更新，而PUT是在给定ID下创建或替换的.听起来不错?

To your other weird edge case, PATCH is not yet a standard. Until it becomes one, I've seen a lot of people using POST to do partial resource updates. POST does not have to be idempotent, so it actually makes a lot of sense. So, POST is partial update and PUT is create or replace at a given ID. Sound good?

如果您还没有看过Les Hazlewood关于HATEOAS的演讲，我建议您这样做.它很好地概述了最佳做法.

If you haven't watched Les Hazlewood's talk on HATEOAS yet, I would suggest you do so. It gives a pretty good overview of the best practices.

http://www.youtube.com/watch?v=mZ8_QgJ5mbs

这篇关于如何在RESTful API中处理敏感属性(例如密码，信用卡等)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！