REST 身份验证和公开 API 密钥 [英] REST authentication and exposing the API key

问题描述

我一直在阅读有关 REST 的内容，在 SO 以及许多其他网站和博客上有很多关于它的问题.虽然我从未见过有人问过这个具体的问题……出于某种原因，我无法理解这个概念……

I've been reading up on REST and there are a lot of questions on SO about it, as well as on a lot of other sites and blogs. Though I've never seen this specific question asked...for some reason, I can't wrap my mind around this concept...

如果我正在构建一个 RESTful API，并且我想保护它，我见过的方法之一是使用安全令牌.当我使用其他 API 时，有一个令牌和一个共享的秘密......是有道理的.我不明白的是，对休息服务操作的请求是通过 javascript(XHR/Ajax)发出的，是什么防止有人用 FireBug(或浏览器中的查看源")之类的简单东西嗅探出来复制 API 密钥，然后使用密钥和秘密冒充那个人?

If I'm building a RESTful API, and I want to secure it, one of the methods I've seen is to use a security token. When I've used other APIs, there's been a token and a shared secret...makes sense. What I don't understand is, requests to a rest service operation are being made through javascript (XHR/Ajax), what is to prevent someone from sniffing that out with something simple like FireBug (or "view source" in the browser) and copying the API key, and then impersonating that person using the key and secret?

推荐答案

api secret没有显式传递，secret用于生成当前请求的sign，在服务器端，服务器生成标志遵循相同的过程，如果两个 标志 匹配，则请求通过身份验证成功 - 因此只有 标志 通过请求，而不是秘密.

api secret is not passed explicitly, secret is used to generate a sign of current request, at the server side, the server generate the sign following the same process, if the two sign matches, then the request is authenticated successfully -- so only the sign is passed through the request, not the secret.

这篇关于REST 身份验证和公开 API 密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！