Mongolab REST API 如何进行身份验证 [英] How does Mongolab REST API authenticate

问题描述

Mongolab 的 REST API 很酷.我可以使用 Mongolab 支持页面上提供的以下 javascript 直接在我的网站中使用它进行分析.只有我能理解身份验证的实际工作方式.任何查看 html 源代码的人都可以轻松复制 URL 中提到的 API 密钥.Mongolab 控制面板不为我的网站提供任何注册，这可以向我保证只有来自我的域的 api 密钥才会被验证.这种身份验证如何工作?

The REST API for Mongolab is cool. I can use that for analytics in my website directly using the following javascript, provided on Mongolab's support page. Only if I can understand how the authentication actually works. The API key mentioned in the URL could be easily copied by anyone who'd view the html source. The Mongolab control panel does not offer any registration for my website that'd assure me that the api key will be validated only if coming from my domain. How does this authentication work?

$.ajax( { url: "https://api.mongolab.com/api/1/databases/my-db/collections/my-coll?apiKey=myAPIKey",
          data: JSON.stringify( { "x" : 1 } ),
          type: "POST",
          contentType: "application/json" } );

推荐答案

很好的观察，很好的问题.

Excellent observation, and great question.

目前，所有 API 密钥都具有对与用户帐户关联的数据库的读写访问权限，任何拥有 API 密钥的代理都可以成功发出任何此类请求.

Currently, all API keys have read and write access to the databases associated with the user's account, and any agent possessing an API key can successfully issue any such request.

如您所见，这个非常基本的密码在设计时并未考虑任何细粒度的安全性.

As you observe, this very basic pass key is not designed with any kind of fine-grained security in mind.

但是，我们正在开发一批新的 REST API 安全功能，专门针对这一点.

However, we're working on a batch of new REST API security features aimed at precisely that.

如果您有兴趣讨论细节，请通过 support@mongolab.com 与我们联系.

Contact us at support@mongolab.com if you'd be interested in discussing the details.

这篇关于Mongolab REST API 如何进行身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！