从客户端隐藏API密钥 [英] Hide an API key from the client side

问题描述

我正在尝试与Zendesk进行API集成.我有很多问题.您可以在下面看到我对此提出的问题:

I am attempting an API integration with Zendesk. I'm having a lot of problems. You can see the questions I've asked about it so far below:

如何在ajax中传递访问令牌呼叫

使用Javascript-授权提交ZenDesk API票证

现在好消息-我已将其表面化.但是我的API密钥公开在客户端Javascript中，因此我需要找出某种方式将其隐藏.目前，我的代码如下所示:

Now the good news - I have it working on the surface. however my API key is publicly in the client side Javascript, and I need to figure out someway to hide it. This is currently what my code looks like:

$.ajax({
        type: 'post',
        url: 'https://domain.zendesk.com/api/v2/tickets.json',
        data: {
          "ticket": {
            "subject": "new contact from " + contactEmail,
            "comment": {
              "body": contactFirstName + ' ' + contactLastName + ' ' + 'says: ' + contactMessage + contactEmail
            }
          }
        },
        beforeSend : function(xhr) {
            xhr.setRequestHeader( 'Authorization', 'BEARER (my key is here)' );
        },
        success: function(response) {
            console.log(response);
        },
        error : function(error) {
            console.log(error);
        }
        console.log('support ticket sent');
      });

我的研究使我获得了以下资源:

My research has led me to the following resources:

如何在客户端中隐藏API密钥-侧面Javascript

http://billpatrianakos.me/blog/2016/02/15/securing-api-keys-in-a-javascript-single-page-app/

使用JS/PHP/JS隐藏API密钥

他们都认为应该在服务器端处理.但是，我找不到有关如何执行此操作的任何明晰的教程.有人可以给我一个关于如何开始的想法吗?坚持了一个多星期.

They all share the setiment that this should be handled on the server side. However, I cannot find any clear cut tutorials on how to do this. Can someone give me an idea on how to even start? Been stuck on this for over a week.

推荐答案

唯一可以做的就是，正如您所提到的，您联系PHP文件作为中间件.因此，您请求一个PHP文件并发送一个cURL请求.

The only thing you can do is, as some mentioned, that you contact a PHP file as a middleware. So you request a PHP file and send a cURL request.

客户端应用程序中的问题是客户端可以读取所有内容.因此，例如，您仅有一些中间步骤来处理PHP.

The problem in client side apps are, that the client can read everything. So you have the only way to do with a little middle step with PHP for example.

最好的是，您可以等待cURL响应并将响应返回给客户端.

The best is that you can wait for the cURL response and take the response back to the client.

这篇关于从客户端隐藏API密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！