如何Mongolab REST API身份验证 [英] How does Mongolab REST API authenticate
问题描述
有关Mongolab的REST API是很酷。我可以使用在我的网站分析直接使用下面的JavaScript,提供Mongolab的支持页面上。只有我能理解认证实际是如何工作的。在URL中提到的API密钥可以被任何人谁愿意查看HTML源代码很容易被复制。该Mongolab控制面板并没有为我的网站,会向我保证,API密钥将只有从我的域名来进行验证任何注册。
这是如何工作的认证?
$阿贾克斯(网址:{url:https://api.mongolab.com/api/1/databases/my-db/collections/my-coll?apiKey=myAPIKey ,
数据:JSON.stringify({×:1}),
键入:POST,
的contentType:应用/ JSON});
出色的观察,很好的问题。
目前,所有API密钥具有读写访问权限与用户的帐户相关联的数据库,任何拥有API密钥代理可以成功地发出任何此类请求。
当你观察到,这个非常基本的传球键设计时并没有考虑到任何一种细粒度的安全性。
不过,我们正在对一批旨在precisely新的REST API的安全功能。
客服联系support@mongolab.com如果你有兴趣讨论的细节。
The REST API for Mongolab is cool. I can use that for analytics in my website directly using the following javascript, provided on Mongolab's support page. Only if I can understand how the authentication actually works. The API key mentioned in the URL could be easily copied by anyone who'd view the html source. The Mongolab control panel does not offer any registration for my website that'd assure me that the api key will be validated only if coming from my domain. How does this authentication work?
$.ajax( { url: "https://api.mongolab.com/api/1/databases/my-db/collections/my-coll?apiKey=myAPIKey",
data: JSON.stringify( { "x" : 1 } ),
type: "POST",
contentType: "application/json" } );
Excellent observation, and great question.
Currently, all API keys have read and write access to the databases associated with the user's account, and any agent possessing an API key can successfully issue any such request.
As you observe, this very basic pass key is not designed with any kind of fine-grained security in mind.
However, we're working on a batch of new REST API security features aimed at precisely that.
Contact us at support@mongolab.com if you'd be interested in discussing the details.
这篇关于如何Mongolab REST API身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
