如何从仅使用Facebook登录名的应用安全地提交分数? [英] How to submit scores securely from app that uses only facebook login?
问题描述
我们的Android应用仅具有Facebook登录名.
Our android app only has facebook login.
这是服务器中发生的情况:
Here's what happens in server:
使用正文中的Facebook用户访问令牌发送POST请求时,会创建一个用户.
每当通过POST请求创建用户时,都会生成api令牌并将其作为响应发送,如下所示:
Whenever a user gets created via POST request, an api token is generated and sent as a response as follows:
{"message":"User Successfully Created","api_token":"ACITyBKf0jKrfqOFumTMcaEEJ8jU151crRdESMPmBj8zbeENslULHfNXlKeo"}
之所以这样做,是因为服务器中生成的 api令牌存储在android应用的本地存储中,并且需要进行其他请求.
I did this because the api token that is generated in the server is stored in android app's local storage and is needed to make other requests.
现在,如果服务器中已经存在该用户,则响应为
Now, if the user already exists in the server, the response would be
{"message":"User Already Exists!!","api_token":"ACITyBKf0jKrfqOFumTMcaEEJ8jU151crRdESMPmBj8zbeENslULHfNXlKeo"}
以防用户删除该应用并重新安装.
This is in case the user deletes the app and installs again.
现在,要提交分数,将通过以下方式发送PATCH请求:
Now, to submit score, a PATCH request is to be sent with:
标题:
Content-Type:application/x-www-form-urlencoded
api_token:ACITyBKf0jKrfqOFumTMcaEEJ8jU151crRdESMPmBj8zbeENslULHfNXlKeo
fb_id:xxxxxxxxxx
身体:
distance:2
golds:19
xp:23
(注意:我使用 postman 测试了以上请求)
(Note: I tested the above request using postman)
现在,问题是我发现了一个漏洞.
一个人可以随时找到其Facebook用户访问令牌和其Facebook ID.因此,如果他们使用该用户访问令牌发出POST请求,他们将收到api_token(在用户已存在!"响应中).并且,一旦他们拥有api_token和fb_id,他们就可以发出PATCH请求,以将其分数修改为所需的分数.
A person can find out their facebook user access token and their facebook id anytime. So, if they make a POST request with that user access token, they will receive the api_token (In the "User Already Exists!!" response). And once they have api_token and fb_id, they can make a PATCH request to modify their scores to whatever they want.
我做错了什么?如何保护服务器免遭这种黑客攻击?
What am I doing wrong? How can I secure my server from being hacked like this?
请帮助我.我是api设计的初学者.
Please help me. I am a beginner in api design.
谢谢
推荐答案
如果他们的API令牌完全可以在应用程序中使用,那可能是一件坏事.如果他们在应用程序中不可用,则说他们只是伪造应用程序内POST请求并检索原始数据,那么他们可能正在试图入侵或渗透系统.
If their API token is available to them in the app at all, that's probably a bad thing. If its not available to them in the app, say they're just forging in-app POST requests and retrieving the raw data, then they're probably trying to hack or pentest the system.
如果是这种情况,也许首先通过POST发送未加密的API密钥是一个坏主意.如果只需要他们的API密钥就可以开始对您的系统造成不良影响,那么为什么要一开始就将其交给他们呢?
If that's the case, maybe sending the unencrypted API key via POST in the first place is a bad idea. If their API key is all they need to start doing bad things to your system, why ever give it to them in the first place?
因为您的应用需要它来记住它们.那这样的事情呢:
Because your app needs it to remember them. What about something like this:
新用户,服务器md5哈希其API密钥并将其发送给他们进行存储. 现有用户,服务器md5哈希其api密钥并将其发送给他们以进行存储(如果需要) 官方现有分数发生变化:应用程序re-md5哈希已散列的api密钥,并将其与PATCH请求一起发送. Server具有带有双重哈希API密钥的数据库,它可以找到您的api密钥并将其标识为用户,然后事情就可以正常进行了.
New user, server md5 hashes their API key and sends it to them to be stored. Existing user, server md5 hashes their api key and sends it to them to be stored (if needed) Official Existing Score change occurs: app re-md5 hashes the already hashed api key, sends that with the PATCH request. Server has database with doubly hashed api keys which it finds yours and identifies you as the user, and things go on normally from there.
这篇关于如何从仅使用Facebook登录名的应用安全地提交分数?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
