REST Web 服务和 API 密钥 [英] REST web service and API keys

问题描述

我向用户提供了一项网络服务，让他们可以访问我的应用程序数据库并获取一些信息.用户必须注册 API 密钥并在提出请求时提供该密钥.一切正常，但我如何检查注册密钥的用户是否真正提出请求，而不是他可能已将密钥提供给的其他人?

I have a web service I'm offering to users to tap into my applications database and get some info. Users have to register for an API key and provide that when making requests. Everything works fine but how do I check if the users who registered for a key is actually making the request and not somebody else who he might have given the key to?

过去两天我一直在考虑想出一个解决方案，但到目前为止一无所获.

I've been thinking for the last two days to come up with a solution but nothing so far.

推荐答案

您需要使用签名请求.基本上它是这样工作的:

You need to use signed requests. Basically it works like that:

• 你给你的用户一个 API 密钥和一个只有你和客户知道的秘密"(一个随机字符串).
• 每当他们提出请求时，他们都会为其添加一个签名"参数.此签名基本上是请求参数 + API 密钥 + 其他参数(见下文)+ 秘密的哈希值.
• 因为您也知道秘密，所以您可以验证签名是否正确.

• You give your user an API key and a "secret" (a random string) that only you and the client know.
• Whenever they make a request, they add a "signature" parameter to it. This signature is basically a hash of the request parameters + the API key + other parameters (see below) + the secret.
• Since you know the secret too, you can verify that the signature is correct.

为了避免重放攻击，您还可以在混合中添加随机数和时间戳.nonce 只是一个数字，必须由客户端在每次请求时递增.当您收到请求时，您会检查您之前是否已经收到过此随机数/时间戳.如果您这样做了，您将拒绝该请求(因为这很可能是重放攻击).如果没有，您将随机数/时间戳存储在您的数据库中，以便您稍后查找.

To avoid replay attacks, you can also add nonces and timestamps into the mix. A nonce is simply a number that must be incremented by the client on each request. When you get the request, you check if you've already received this nonce/timestamp before. If you did, you reject the request (because it's most likely a replay attack). If not, you store the nonce/timestamp in your database so that you can look it up later on.

这或多或少是在 OAuth 中签署请求的方式.在链接中查看他们的示例.

This is more or less how requests are signed in OAuth. Have a look at their example in the link.

这篇关于REST Web 服务和 API 密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！