客户端 JavaScript 中的 Steam API 密钥 [英] Steam API Key in Client-Side JavaScript
问题描述
最近我使用 Steam API 创建了一个 Steam 应用程序,这需要 Steam 密钥才能在很大程度上使用.我的应用程序完全使用客户端 JavaScript 编写,需要以某种方式将密钥放入其中.但是 Steam 禁止用户在公共场所发布他的 API,我相信源代码是公开的.
Recently I have created a Steam app, using the Steam API, which requires the Steam Key to use to any large extent. My application is written completely using client-side JavaScript and needs to have the key put in there somehow. However Steam forbids the user from posting his API in a public place, and I believe that the source code is public.
无论如何都可以对其进行编码,因此无法获取普通密钥,但仍保留将其放入网站调用中的功能(例如 www.example.com/?api=key).
Is there anyway of encoding it, so there is no way to get the normal key, yet still keep the functionality of putting it in a call to a website (for example www.example.com/?api=key).
我一直在研究的一个例子是将其编码为 base 64,但我不确定这是否满足隐私要求.代码如下:
An example I have been looking at is encoding it into base 64, but I'm not sure if this fulfills the privacy required. The code for this is:
alert(btoa("key"));
之后,我粘贴了一个示例中的警报消息
After that I paste in the alert message I got in an example of
var api=atob("key");
这对普通站点隐藏了密钥,但可以使用类似的东西轻松解码
This hides the key from plain site, but it can be easily decoded using something like
alert(atob("key"));
是否有我可以使用的库,或者某种不需要服务器端 JavaScript(例如 node.js)来执行此操作的方法.
Is there a library I can use, or some way that does not need server side JavaScript (such as node.js) to do this.
推荐答案
正如许多评论指出的那样,一旦它在客户端和服务器中,就没有办法使任何东西变得安全strong> 预计会信任客户.
As many of the comments are pointing out, there is no way to make anything secure as soon as it's been in the client and the Server is expected to trust the client.
在您的示例中,特别是使用 aTob 和 bToa 函数,您正在创建一个新的 APIKEY,它的行为符合原始 APIKEY 作为 APIKEY' 最终不安全.
In your example, particularly, with the function aTob and bToa what you are creating is particularly creating a new APIKEY that behaves to the original APIKEY as as APIKEY' which ends up being insecure.
解决这个问题的办法是让代码和APIKEY完全不受用户的操纵.这是一个秘密,因此应尽可能保密和隐藏".
The solution of this is to put the code and the APIKEY exclusively from the manipulation of the user. This is a secret and as such should be kept as secure and "hidden" as possible.
这篇关于客户端 JavaScript 中的 Steam API 密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
