附加到数据库的开放式REST API-是什么阻止不良行为者向我的数据库发送垃圾邮件? [英] Open REST API attached to a database- what stops a bad actor spamming my db?
问题描述
我是一位客户端开发人员,对服务器端经验很少,而且我一直在努力了解如何在不要求用户登录的情况下创建数据库支持的网站。
I'm a client side developer with little experience of server side, and I'm struggling to understand how to make a database-backed website without requiring users to login.
用例非常简单。用户登陆网站,上传图像,并对图像进行一些处理。单击共享 POST JSON到我的端点,将其存储在数据库中,并在文本框中返回唯一的URL(例如, https://example.com/art/12345 ),允许用户与他人共享他们的作品,或者稍后再回来进行更多编辑。
The usecase is fairly straightforward. The user lands on a website, uploads an image, and performs some processing to that image. Clicking 'share' POSTs JSON to my endpoint, stores it in a DB, and returns a unique URL in a textbox (eg, https://example.com/art/12345) which allows the user to share their artwork with others, or just to come back and do more editing later on.
阻止某人执行的操作, POST< data> https://example.com/art 1亿次并填充我的按需付款数据库?
What stops somebody from doing, POST <data> https://example.com/art 100 million times and filling my pay-as-you-go database?
我见过在许多站点上的用户之间共享的基于链接的方法的示例,但我不知道如何停止滥用,或者仅打开允许写入数据库的API是否安全。我不希望用户必须登录。
I've seen examples of this link based method of sharing between users on plenty of sites but I don't understand how to stop abuse, or whether it is safe to just open up an API which allows writes to a database. I do not want users to have to login.
推荐答案
我相信最简单的方法是通过用户名登录来获得配额。用户或IP,如果您不需要登录或只希望在一定程度上允许免费使用。也许您未登录用户的配额可能比未登录用户的配额小,而付费用户的配额甚至更大。
I believe the simplest method is having a quota, either by username for logged in users or by IP, if you don't require logins or only want to allow free usage to a certain point. Perhaps you could have a smaller quota for non-logged in users than for logged in users and even larger for paying users.
用于处理POSTS和存储的服务器端代码将数据存储到数据库中就必须解决这一问题。我会将其添加到我的user_data表中,并增加一列以跟踪使用的总空间。 创建任务
Your server side code that handles the POSTS and storing data into the database would have to take care of that. I'd add it to a user_data table on mine, making an additional column that tracks total space used. makes a todo
然后,当用户添加新数据时,将增加使用的总空间。当他们删除旧数据(我已经对网页进行了版本控制,以便最终用户可以回滚到以前的版本)时,使用的空间就会减少。要查看另一页以查看他们在哪里使用空间,可以更轻松地决定要删除的内容以保持在X MB / GB / TB / etc的配额之内,或者只是/ api / delete_old_pages或便笺或注释或所有以上。
Then, when the user adds new data, increase the total space used. When they delete old data (I have versioned web pages so that eventually, the user will be able to rollback to previous versions) then the space used decreases. Having another page to look at to see where they're using space makes deciding what to delete to stay under a quota of X MB's/GB's/TB's/etc easier or maybe just an /api/delete_old_pages or notes or comments or all of the above.
这篇关于附加到数据库的开放式REST API-是什么阻止不良行为者向我的数据库发送垃圾邮件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
