如何保护 RESTful API [英] How to protect RESTful API
问题描述
我一直在寻找一种方法来保护我的 RESTful API.这看起来很简单,但似乎并没有那么简单.首先,我正在编写一个连接到 Play Framework 服务器的 iOS 应用程序.这一切都与 Google、Facebook、Twitter 或 LinkedIn 无关(我知道这很令人震惊).哦,我目前的计划不需要自定义应用程序来使用我的 API,它暂时只是我的应用程序.
I have been looking for a way to protect my RESTful APIs. This appeared simple, but it seems to not be so simple. First off, I am writing an iOS app connecting to a Play Framework server. None of this has anything to do with Google, Facebook, Twitter, or LinkedIn (shocking I know). Oh, and my current plans do not require custom apps to use my APIs, its just my apps for the time being.
基本身份验证
看起来很简单的是管理 cookie 会话的/auth 方法的基本用户/传递.这可能会因为太简单或太弱而引起一些抱怨,但大多数情况下它会将身份转移到快速验证的会话密钥中.我最初的设置是每天使会话过期,但这导致 iOS 应用程序每天强制登录被证明很烦人.
What appeared to be simple was a basic user/pass on a /auth method managing a cookie session. That may draw some groans as being too simple or weak but mostly it moved identity to a session key quickly verified. My initial setup was to expire the sessions every day, but that lead to the iOS app forcing a login daily proving to be an annoyance.
OAuth
我在 iOS 板上发布了一个问题,并收到了一个关于 OAuth 的直率方向.我对 OAuth 的研究开始了,但是天啊,太复杂了,而且似乎没有任何服务器端的例子......只是很多人抱怨它是多么令人沮丧.所有客户端示例都显示连接到 Google、Facebook、Twitter 和 LinkedIn.哦,喜悦!
I posted a question on an iOS board and received a blunt direction towards OAuth. My research of OAuth began but holy sh*t is that complicated and there does not seem to be any server side examples... just plenty of people complaining about how frustrating it is. All the client examples show connecting to Google, Facebook, Twitter, and LinkedIn. Oh Joy!
在看了 Eran Hammer 关于 OAuth1 和 OAuth2 的咆哮之后,继续下去似乎毫无结果,他的 OZ 想法(看起来很干净)只是在 node.js 的早期阶段.
After watching Eran Hammer's rant about OAuth1 and OAuth2, it seemed fruitless to continue and his OZ idea (which looks really clean) is only at the early stages in node.js.
问题
所以,我向广大 StackOverflow 社区提出的问题是……您如何保护 REST API?
So, my question to the broad StackOverflow community is... what do you do for securing your REST APIs?
推荐答案
我建议考虑最大的参与者使用的方法,即 Amazon Web Services 或 Windows Azure - HMAC.虽然实现起来不太舒服,但正如您所见,这是一种值得信赖的技术.
I'd suggest to consider approach used by biggest players i.e. Amazon Web Services or Windows Azure - HMAC. Although it isn't comfortable in implementation, as you can see it's trusted technique.
一般的想法是在 iOS 中使用密钥对请求的部分(即标头)进行签名,并尝试在 Play 应用程序上重新计算它以验证请求是真实的并且未被操纵.如果它不会失败,您就可以(几乎)确定这是由使用有效密钥的人发送的.
The general idea is to sign the request's parts (i.e. headers) in the iOS with secret key and try to recalculate it on the Play app to verify that request is authentic and not manipulated. If it won't fail, you can be (almost) sure, that was sent from somebody, who uses valid secret key.
查看 Windows 文档 以获取概念(我认为对于普通任务,您可以使用较少数量的用于签名的元素).
Take a look into Windows' document to get the concept (I think that for common task, you can use the less number of elements used for signing).
还有其他有趣的帖子(基于 AWS 身份验证)更好地描述了整个过程.
There is also other interesting post (based on AWS authentication) which describes whole process even better.
编辑
当然,您应该意识到 iOS 中的身份验证和保护 API 请求是不同的事情,即使您每 15 分钟使会话过期,您也不能确定某人不会偷听,然后将能够从外部发送虚假请求.签署每个请求应将风险降至最低.
Of course you should realize that authentication in iOS and securing API requests are different things, even if you'll expire your session every 15 minutes, you can't be sure that somebody won't overhear it and then will be able to send a fake request from the outside. Signing every request should minimize the risk.
另一方面,如果您准备明确的规则来签署请求并编写简短的文档(我什至推荐给您自己),您可以将其交付给其他开发人员,他将能够在(几乎)任何支持 SHA256 的平台上实现它,因此您将准备好 API,以便从 3-rd 方应用程序中使用 - 如果您决定在未来发布它.
On the other hand, if you'll prepare clear rules for signing the requests and will write short doc (which I recommend even for yourself), you can deliver it to the other developer and he'll be able to implement it in (almost) any platform supporting SHA256, so you will have API ready for using from 3-rd party apps - if you'll decide to publish it in the future.
这篇关于如何保护 RESTful API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
