如何从 AngularJS 站点安全地连接到 Web api [英] How to securely connect to a web api from a AngularJS site

问题描述

作为 Web 开发的新手，至少在使用客户端技术(例如 AngularJS 框架)之前，我需要解决一些问题，然后才能开始我的最新项目.

Being relatively new to web development, at least using client side technologies such as the AngularJS framework, I need to resolve a few queries before I can start my latest project.

我正在使用 AngularJS 编写一个应用程序，它读取/写入/更新数据库中的数据.使用 javascript 作为客户端，我选择编写一个 PHP REST API 来执行数据库查询，从而获得安全的用户名和密码以及单个数据库层.

I am writing an application using the AngularJS which reads/writes/updates data in a database. With javascript being client side I have chosen to write a PHP REST API to do the database queries, resulting in a secure username and password and a single database layer.

我的问题是，鉴于我的 REST API，我将使用来自 javascript(客户端)的 AJAX 来调用方法.如何阻止其他站点也编写脚本来调用 REST API?将身份验证令牌放在 javascript 代码中不是很安全，有人可以复制它.

My question is, given my REST API, I will be using AJAX from javascript (which is client side) to invoke methods. How do I stop other sites from writing a script to invoke the REST API as well? Putting an authentication token in the javascript code isn't very secure, someone can just copy it.

REST API 是解决此问题的最佳方法吗?我不反对学习新技术或实践，所以非常感谢任何关于更好的设计模式或实现方法的想法.不幸的是，由于我在这方面的领域知识有限，我在 Google 搜索中一​​直没有结果，因为我对应该搜索的术语没有信心.

Is a REST API the best approach for this problem? I am not adverse to learning new technologies or practices so please, any thoughts on better design patterns or methods of implementation are greatly appreciated. Unfortunately, due to my limited domain knowledge in this area, I have been unfruitful in my Google Searches as I'm not confident of the terms under which I should be searching.

非常感谢.

推荐答案

由于您的 Angular 应用程序存在于浏览器中，因此您的 REST API 将需要可从任何随机访问者的浏览器公开访问.因此，出于需要，您拥有了一个公共 API.你不能限制它；访问者可以看到数据，或者他们不能.

Since your Angular application is living in the browser, your REST API will need to be publicly accessible from any random visitor's browser. You thereby have a public API, out of necessity. You can't restrict it; either visitors can see the data or they can't.

从本质上讲，这与传统网页没有太大区别.在服务器端生成的页面中，您输出打包为 HTML 的数据并将其交付给任何询问的人.在 REST-API/Angular 应用程序中，您可以将打包为 JSON 的数据交付给任何询问的人.无论哪种方式，数据都同样公开，尽管 REST API 可能比抓取 HTML 更容易滥用".如果您想避免有人彻底吸干您的所有数据库，则有意采用一些用户行为跟踪和限制可能会很有用；这同样适用于基于 JSON 的 REST API，也适用于常规网页.

Essentially this is not significantly different from a traditional webpage though. In a server-side generated page, you output your data packaged as HTML and deliver it to anyone who asks. In a REST-API/Angular app, you deliver the data packaged as JSON to anyone who asks. Either way the data is equally public, though maybe the REST API is a little easier to "abuse" than scraping the HTML would be. It may be useful to deliberate employing some user behaviour tracking and throttling, if you want to avoid someone outright sucking all of your database dry; this applies equally to JSON based REST APIs as it does to regular web pages.

如果您还以这种方式公开读/写 API，那么您当然很容易被滥用.

If you're also exposing read/write APIs this way, you're of course wide open to abuse.

使 API 不公开的唯一方法是要求密码身份验证.如果您的站点的用户必须登录，那么您可以将 API 限制为具有有效会话的任何人.如果任何人都可以简单地在您的网站上注册一个帐户，那么这对授予计划没有多大帮助，但与完全开放的 API 相比，它需要更多的考虑并且提供稍微更多的可管理性.

The only way to make an API non-public is to require password authentication. If the users of your site must be logged in, then you can restrict the API to anyone with a valid session. This doesn't help much in the grant scheme of things if anyone can simply register an account on your site, but it needs more deliberation and provides slightly more manageability than a completely open API.

管理员专用的 API 当然必须以这种方式受到保护，需要一个只有您拥有凭据的帐户.

Admin-only APIs of course must be protected in this way, requiring an account which only you have the credentials to.

这篇关于如何从 AngularJS 站点安全地连接到 Web api的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！