开源项目但对 API 密钥保密 [英] Open source a project but keep API keys confidential

问题描述

我想使用 GitHub API 创建一个开源项目，但我遇到了在源代码中包含我的密钥的问题.我从不同的地方读到过在源代码中从不包含任何秘密密钥，我同意这一点.我还发现了一些关于通过网络服务器进行身份验证而不是让用户获取他们自己的 API 密钥的模糊参考.

I'd like to create an open source project using the GitHub API, but I came across a problem having my secret key in the source code. I've read from various places to never include any secret keys in the source and I agree with that. I've also found a couple vague references about authenticating through a web sever instead of making users acquire their own API keys.

根据我的理解，它会是这样的:

From my understanding it would go something like this:

当需要使用 GitHub 进行身份验证时，我会让用户向我的服务器发送请求.从那里，我将使用我自己的 API 密钥向 GitHub 进行身份验证，并在身份验证成功后，将签名返回给发出请求的用户.从那时起，他们可以直接与 GitHub 通信.那是对的吗?

When it comes time to authenticate with GitHub, I would have the user send a request to my server. From there, I would authenticate with GitHub using my own API keys and after a successful authentication, return the signature to the user who made the request. From that point on they could communicate directly with GitHub. Is that correct?

如果这是它的工作原理，我很想了解更多有关该过程的信息.这是我第一次使用 API，所以我对此很陌生.

If that is how it works, I would love to know a little more about the process. It's my first time working with APIs so I'm pretty new to this.

推荐答案

我从来没有收到过这个问题的答案，所以我想我会传递我同时发现的东西.

I never received an answer to this question so I thought I would pass along what I found in the mean time.

使用 API 的项目开源的主要问题是披露您的客户端机密(至少在 GitHub 的情况下，这就是我发布此问题的原因).您永远不应该在源中包含您的客户端机密.如果有人拥有您的客户端机密和客户端 ID，他们可以有效地模拟您的应用程序.

The main concern with open sourcing a project that utilizes an API is disclosing your client secret (at least in the case of GitHub, which is why I posted this question). You should never include your client secret in the source. If someone has your client secret and client id they can effectively impersonate your application.

所以，剩下两个选项.

1).运行您自己的简单服务器.

1). Run your own simple server.

2).要求 fork 项目的每个人都获得自己的 GitHub API 密钥.

2). Require everyone who forks your project to get their own GitHub API keys.

我建议选择选项 2.如果您开源了一个应用程序，它就不再是您的了，而且您对其他人将如何使用它没有发言权.那么，在使用您的客户端 ID 和机密时，您为什么要对其他人的应用程序所做的事情负责?

I would suggest going with option 2. If you open source an application, it's no longer yours, and you don't have a say in what other people will do with it. So, why would you want to be accountable for what someone else's application does while using your client id and secret?

这里还有一个问题.使用 GitHub 进行身份验证并获得 Auth Token 后，您需要以某种方式安全地存储该 Auth Token.我最初没有意识到，但它基本上是一个密码.如果您以纯文本形式存储身份验证令牌并且其他人恢复它，他们可以向 API 发出请求并检索所有用户数据.(这是使用 OAuth2 和不记名令牌.)

There is also another problem here. Once you authenticate with GitHub and get an Auth Token, you need to somehow securely store that Auth Token. I didn't realize it initially, but it's basically a password. If you store the Auth Token in plain text and someone else recovers it, they can make a request to the API and retrieve all of the users data. (This is using OAuth2 and bearer tokens.)

在客户端上存储身份验证令牌确实不是一个好方法.当您尝试开源项目时，这也会带来另一个问题.无论谁使用您的开源项目，本质上都需要使用他们自己的服务器进行初始身份验证，然后还要存储身份验证令牌.

There's really not a good way to store the auth token on the client. Which also presents another problem when you are trying to open source your project. Whoever uses your open source project will essentially need to use their own server for the initial authentication and then also to store the auth token.

只是要记住一些事情.

这篇关于开源项目但对 API 密钥保密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！