从客户端隐藏 API 密钥 [英] Hide an API key from the client side

问题描述

我正在尝试与 Zendesk 进行 API 集成.我有很多问题.您可以在下面看到我迄今为止提出的问题:

I am attempting an API integration with Zendesk. I'm having a lot of problems. You can see the questions I've asked about it so far below:

如何在ajax中传递访问令牌打电话

使用 Javascript 提交 ZenDesk API 票证 - 授权

现在好消息 - 我已经在表面上工作了.但是我的 API 密钥在客户端 Javascript 中是公开的，我需要想办法隐藏它.这是目前我的代码的样子:

Now the good news - I have it working on the surface. however my API key is publicly in the client side Javascript, and I need to figure out someway to hide it. This is currently what my code looks like:

$.ajax({
        type: 'post',
        url: 'https://domain.zendesk.com/api/v2/tickets.json',
        data: {
          "ticket": {
            "subject": "new contact from " + contactEmail,
            "comment": {
              "body": contactFirstName + ' ' + contactLastName + ' ' + 'says: ' + contactMessage + contactEmail
            }
          }
        },
        beforeSend : function(xhr) {
            xhr.setRequestHeader( 'Authorization', 'BEARER (my key is here)' );
        },
        success: function(response) {
            console.log(response);
        },
        error : function(error) {
            console.log(error);
        }
        console.log('support ticket sent');
      });

我的研究使我获得了以下资源:

My research has led me to the following resources:

如何在客户端隐藏 API 密钥-侧边Javascript

http://billpatrianakos.me/blog/2016/02/15/securing-api-keys-in-a-javascript-single-page-app/

使用 JS/PHP/JS 隐藏 API 密钥

他们都认为这应该在服务器端处理.但是，我找不到任何关于如何执行此操作的明确教程.有人可以给我一个关于如何开始的想法吗?坚持了一个多星期.

They all share the setiment that this should be handled on the server side. However, I cannot find any clear cut tutorials on how to do this. Can someone give me an idea on how to even start? Been stuck on this for over a week.

推荐答案

正如某些人所说，您唯一能做的就是将 PHP 文件作为中间件进行联系.所以你请求一个 PHP 文件并发送一个 cURL 请求.

The only thing you can do is, as some mentioned, that you contact a PHP file as a middleware. So you request a PHP file and send a cURL request.

客户端应用程序的问题是，客户端可以读取所有内容.因此，例如，您只有使用 PHP 来做中间的一小步.

The problem in client side apps are, that the client can read everything. So you have the only way to do with a little middle step with PHP for example.

最好的是您可以等待 cURL 响应并将响应返回给客户端.

The best is that you can wait for the cURL response and take the response back to the client.

这篇关于从客户端隐藏 API 密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！