使用客户端令牌保护REST API调用 [英] Securing REST API calls with client-side token
问题描述
我有一个node.js REST API,我想将POST/PUT/DELETE调用限制为预定义的源"列表(我不拥有代码的Web应用程序).
I have a node.js REST API and I want to restrict POST/PUT/DELETE calls to a predefined list of "sources" (web applications which I do not own the code).
我看到的唯一实现此目标的方法是在客户端放置一个令牌(类似于JS文件中的Google Analytics(分析)),但是我不知道如何保护此令牌,因为令牌会可以在静态文件中访问.
The only way I see to achieve this is to put a token on the client-side (something like Google Analytics in JS files) but I have no idea how to secure this since the token will be accessible in the static files.
我应该使用什么策略?JWT和OAuth2似乎没有显示,因为它需要首先进行用户身份验证,但是我要身份验证的不是用户,而是Webapps.
What strategy should I use ? JWT and OAuth2 seem not indicated since it requires first user authentication, but what I want to authenticate is not user but webapps.
推荐答案
最后,您的API是公开的,因为任何随机的网站访问者都必须能够与该API进行交互.即使您使用令牌在某种程度上限制访问,根据定义,这些令牌也必须是公共的.甚至定期(例如通过后端API或通过包括nonce算法)更新和更新令牌也无济于事,因为这些新令牌将再次在第3方的网站上公开显示,任何人都可以从中获取一个令牌.
In the end your API is public, since any random website visitor will have to be able to interact with the API. Even if you use tokens to restrict access somewhat, those tokens by definition will have to be public as well. Even regularly expiring and renewing the tokens (e.g. through a backend API, or by including a nonce algorithm) won't help, since those new tokens will again be publicly visible on the 3rd party's website where anyone can fetch one.
CSRF保护可以帮助我们一点来避免浏览器中的跨站点滥用,但最终对于防止他人编写API抓取工具等毫无意义.
CSRF protection can help a little to avoid cross-site abuse within browsers, but is ultimately pointless for the purpose of preventing someone to write an API scraper or such.
您能做的最好的事情是使用令牌来识别您被授予访问权限的单个网站所有者,警惕地监视您的API使用,在您认为令牌被滥用时使令牌无效,并联系网站所有者以某种方式更好地保护其令牌(他们会遇到同样的问题,但至少您要有人责怪咳嗽咳嗽).
The best you can do is use the tokens to identify individual site owners you granted access to, vigilantly monitor your API use, invalidate tokens when you think you're seeing them abused and contact the site owners about securing their tokens better somehow (which they'll have the same problem doing, but at least you have someone to blame cough cough).
这篇关于使用客户端令牌保护REST API调用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
