在Ionic4/Angular项目中安全存储API密钥的位置 [英] Where to securely store API keys in Ionic4/Angular project

问题描述

我觉得我在这里问的是错误类型的问题，因为30秒之内无法谷歌搜索.请让我知道.

I get the feeling I'm asking the wrong type of question here as it was not googleable within 30 seconds. Please let me know.

无论如何，我的environment.ts和environment.prod.ts都设置了用于后端和第三方服务的url和api键.但是我已经读到，将API密钥保存在那是不安全的做法.我应该把它们放在哪里?如果确实在其他地方，最简单的方法是什么?

Anyway, I have my environment.ts and environment.prod.ts all set up with urls and api keys to backend and third party services. But I've read that it's not safe practice to keep API keys there. Where should I be putting them? If it's indeed somewhere else, what's the simplest way to do it?

推荐答案

如果我正确理解了您的问题，那么您正在此处查看两个潜在的关键滥用点:

If I understand your question correctly, you're looking at two potential key misuse points here:

1. 开发人员在开发应用程序时可能会意外使用生产密钥-通过将密钥存储在CI管道中(假设您已经拥有一个密钥)并将其将正确的秘密注入正确的环境配置中，这很容易解决. .一些有趣的工具:章鱼， Hashicorp保管箱.这样，开发人员将仅在其代码库中拥有开发密钥.请记住-如果您使用的是版本控制系统-仅删除生产代码并添加新的提交是不够的-有工具，可让您在提交历史记录中查找意外泄露的机密，因此您必须更改密钥

1. Developers can accidentally use production keys while developing your app - this is easy enough to solve by storing your keys in your CI pipeline (assuming you've got one) and having it inject the correct secret into correct environment configuration. Some tools that can be of interest: Octopus, Hashicorp Vault. Developers then will only have development keys in their code base. Bear in mind - if you are using version control systems - it's not going to be enough to just delete your production codes and add a new commit - there are tools that let you search your commit history for accidentally exposed secrets, so you'll have to change your keys

用户可以对您的应用程序进行反向工程并从代码中提取密钥.这个问题很难解决，因为它很大程度上取决于操作系统，版本以及您如何使用机密信息.通常，您想完全避免在您的应用中存储机密，而是在对用户进行身份验证时获取它们.之后-您可以利用目标操作系统的安全的本地存储功能(保持请注意，即使也不保证100％受到保护).对于第三方访问，请考虑通过服务器代理以隐藏密钥，以获取更多启发.

Users can reverse-engineer your app and extract keys from the code. This one is harder to tackle as it hugely depends on the OS, version and how you work with secrets. Generally you would like to avoid storing secrets in your app at all and rather obtain them when authenticating users. After that - you'd leverage your target OS secure local store features (keeping in mind that even that does not guarantee 100% protection). For 3rd party access, consider proxying the requests through your server to conceal the keys Some more inspiration can be found here

UPD 为澄清您在用户交互方面的顾虑，请考虑以下简化的工作流程:

UPD to clarify your concerns re user interaction, consider this simplified workflow:

1)用户向您的后端/authorise端点发出未经身份验证请求，该请求将检查用户名，密码并返回 token1 (最好是 JWT )

1) User issues an unauthenticated request to your backend /authorise endpoint that will check username, password and return a token1 (preferably JWT)

2)您的应用程序将此令牌1 存储在设备上的本地存储中-这是用户永远有权访问的唯一秘密，并且是该用户专有的

2) your app stores this token1 in local store on the device - this is the only secret that user will ever have access to and it's specific to that user

3)您的用户使用令牌1 向您的/3rd-party-api-proxy

3) Your user makes an authenticated request using token1 to your /3rd-party-api-proxy

4)您的服务器将验证步骤3中的 token1 ，并使用从未公开过的 token2 向第三方发出实际请求.

4) your server will validate the token1 from step3 and make the actual request to 3rd party using token2 that you never exposed.

5)您的第三方请求成功，并且您将数据返回给用户.

5) your 3rd party request succeeds and you return data to the user.

使用此流程，您的 token2 永远不会被暴露出来，并且您始终知道哪个用户请求访问第三方API(您可以添加日志记录，审核，而不能添加).互联网上有很多关于如何构建该事物的文章，我只是在这里概述了非常基本的概念，希望这能给您一些思考的机会.

with this flow your token2 never gets exposed and you always know which user requested access to 3rd party API (you can add logging, audit, and what not). There;s plenty of articles in the Internet on how to architect this thing, I just outlined very basic concepts here, hoping this gives you some food for thought.

这篇关于在Ionic4/Angular项目中安全存储API密钥的位置的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！