Javascript 使用应用程序名称和应用程序密码调用 Rest API - 我如何保护它 [英] Javascript Calling a Rest API with App Name and App Password - How Can i Secure it
问题描述
我相信这个问题已经被问了很多次了.
I am sure this Question has been asked a lot of time.
但想再次确认我的怀疑并获得一些提示.
But wanted re-confirm my doubt and get some tips.
我计划将 buddy.com 后端作为一项服务来使用.我看到他们的大部分 REST API 需要嵌入应用程序名称和密码,如果您使用的是 JavaScript.他们还没有任何关于 javascript 的文档.但是想知道我现在是否必须使用普通的 html 或 HTML5 Web 应用程序从 Javascript 开始使用它.我如何使用它.
i was planning to play around with buddy.com back end as a service. and i saw that most of their REST API requires App Name and Password to be embedded if you are using JavaScript. They don't have any documentation for javascript, yet. But was wondering if i have to start using it right now from Javascript using normal html or HTML5 web app. how do i use it.
我不想以明文形式传递应用密码,因为任何人都可以查看浏览器的源代码或运行 fiddler 来查看正在调用的内容.我知道有人会说,嘿,你为什么不使用特定时间有效的令牌系统.
i don't want to pass App Password in the clear text as anybody could do a view source of the browser or could run fiddler to see what's being called. I know once would say, hey why don't you use the Token system valid for a particular time.
但我是这里的消费者,我如何保护在浏览器的视图源中看到的密码,因为我将通过网页/应用程序上的 java 脚本调用 API.
But i am the consumer over here, How can I protect the password being see in the view source of the browser since i would be calling the API through the java script on the web page/ app.
buddy.com API 的典型示例
Typical example of buddy.com API
http://webservice.buddyplatform.com/Service/v1/BuddyService.ashx?Pictures_ProfilePhoto_Add&BuddyApplicationName=&BuddyApplicationPassword=&UserToken=&bytesFullPhotoData=&ApplicationTag=&RESERVED=
http://webservice.buddyplatform.com/Service/v1/BuddyService.ashx?Pictures_ProfilePhoto_Add&BuddyApplicationName=&BuddyApplicationPassword=&UserToken=&bytesFullPhotoData=&ApplicationTag=&RESERVED=
任何提示将不胜感激.谢谢
Any tips would be greatly appreciated. Thanks
推荐答案
客户端运行的 JavaScript 始终可以使用 GreaseMonkey 进行修改.ALL VARIABLES 可以使用 Firebug 之类的 JavaScript 调试器读取.所有请求都可以被tamperdata拦截和修改.
JavaScript running by the client can always be modified with GreaseMonkey. ALL VARIABLES can be read with a JavaScript debugger like Firebug. ALL REQUESTS can be intercepted and modified with tamperdata.
结果是您永远无法信任 JavaScript,因为它的客户端代码.为了对攻击者保密,您需要对 JavaScript 保密.您可以使用中间 API 执行此操作,该 API 知道秘密并代表客户端执行请求.此 API 需要强制执行身份验证,或谁有权访问给定资源.
The result is that you can never trust JavaScript because its client side code. In order to keep a secret from an attacker, you need to keep it from JavaScript. You can do this with an intermediary API, that knows the secrets and performs requests on the client's behalf. This API needs to enforce authentication, or who has access to a given resource.
这篇关于Javascript 使用应用程序名称和应用程序密码调用 Rest API - 我如何保护它的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
