寻找建议on Rails的构建在Ruby中一个安全的REST API [英] Looking for suggestions for building a secure REST API within Ruby on Rails

问题描述

我在开始构建一个REST API的一个项目我的工作，这导致我​​做了一点研究，以建立使用回报率的API的最佳方式。我很快找到了pretty在默认情况下，模型是开放的世界，可以通过URL通过简单地把一个名为.xml的网址的结尾，并通过适当的参数来调用。

I'm getting started on building a REST API for a project I'm working on, and it led me to do a little research as to the best way to build an API using RoR. I find out pretty quickly that by default, models are open to the world and can be called via URL by simply putting a ".xml" at the end of the URL and passing appropriate parameters.

所以，那么接下来的问题就来了。我该如何保护我的应用程序，以prevent未经授权的更改？在做一些研究，我发现一对夫妇的文章谈 attr_accessible 和 attr_protected 以及它们如何被使用。我发现谈论这些特定的URL在07月回发（这里）。

So then the next question came. How do I secure my app to prevent unauthorized changes? In doing some research I found a couple articles talking about attr_accessible and attr_protected and how they can be used. The particular URL I found talking about these was posted back in May of '07 (here).

正如所有的东西红宝石，我敢肯定，从那以后，事情发生了变化。所以，我的问题是，这仍然争取在一个RoR的REST API的最佳方式？

As with all things ruby, I'm sure that things have evolved since then. So my question is, is this still the best way to secure a REST API within RoR?

如果不是你在任何一个新项目或者现有项目的情况表明什么？

If not what do you suggest in either a "new project" or an "existing project"scenario?

推荐答案

有几种方案用于验证API请求，他们是不是像restful_authentication或acts_as_authenticated插件提供了正常的认证不同。最重要的是，客户将不会保持会话，所以没有登录的概念。

There are several schemes for authenticating API requests, and they're different than normal authentication provided by plugins like restful_authentication or acts_as_authenticated. Most importantly, clients will not be maintaining sessions, so there's no concept of a login.

HTTP认证

您可以使用基本的HTTP认证。对于这一点，API客户端将使用常规的用户名和密码，只是把它的URL，如下所示：

You can use basic HTTP authentication. For this, API clients will use a regular username and password and just put it in the URL like so:

http://myusername:mypass@www.someapp.com/

我相信restful_authentication支持这一开箱即用，因此可以忽略某人是否通过API或通过浏览器使用您的应用程序。

I believe that restful_authentication supports this out of the box, so you can ignore whether or not someone is using your app via the API or via a browser.

这里的一个缺点是，你要求用户把自己的用户名和密码以明文的每一个要求。通过这样做它通过SSL，可以让这个安全的。

One downside here is that you're asking users to put their username and password in the clear in every request. By doing it over SSL, you can make this safe.

我不认为我曾经亲眼看到使用此一个API，虽然。这似乎是一个体面的好主意，对我来说，特别是因为它支持了当前认证方案的方块，所以我不知道是什么问题。

I don't think I've ever actually seen an API that uses this, though. It seems like a decently good idea to me, especially since it's supported out of the box by the current authentication schemes, so I don't know what the problem is.

API密钥

另一种简单的方法来启用API认证是使用API​​密钥。它本质上是一个远程服务用户名。当有人签约使用你的API，你给他们一个API密钥。这需要与每个请求通过。

Another easy way to enable API authentication is to use API keys. It's essentially a username for a remote service. When someone signs up to use your API, you give them an API key. This needs to be passed with each request.

这里的一个缺点是，如果任何人得到别人的API密钥，他们可以请求作为该用户。我认为，通过所有的API请求使用HTTPS（SSL），可以一定程度上抵消这种风险。

One downside here is that if anyone gets someone else's API key, they can make requests as that user. I think that by making all your API requests use HTTPS (SSL), you can offset this risk somewhat.

另一个缺点是用户使用相同的认证证书（API密钥）所到之处。如果他们想取消获得的API客户端他们唯一的选择就是改变他们的API密钥，这将禁用所有其他客户。这可以通过允许用户产生多个API密钥来减轻。

Another downside is that users use the same authentication credentials (the API key) everywhere they go. If they want to revoke access to an API client their only option is to change their API key, which will disable all other clients as well. This can be mitigated by allowing users to generate multiple API keys.

API密钥+保密密钥签署

的德precated（排序） - 见下面的OAuth 的

复杂得多是签署同一个密钥请求。这是亚马逊网络服务（S3，EC2，而这样做的）。从本质上讲，你给用户2把钥匙：他们的API密钥（即用户名）和他们的秘密密钥（即密码）。 API密钥与每个请求而传送的，但密钥不是。相反，它被用来通过增加另一个参数登录每个请求，通常

Significantly more complex is signing the request with a secret key. This is what Amazon Web Services (S3, EC2, and such do). Essentially, you give the user 2 keys: their API key (ie. username) and their secret key (ie. password). The API key is transmitted with each request, but the secret key is not. Instead, it is used to sign each request, usually by adding another parameter.

IIRC，亚马逊通过取所有参数的请求，以及由参数名命令他们实现这一目的。然后，该字符串被散列，使用用户的保密密钥作为散列密钥。这个新的值被发送之前追加为新的参数到该请求。在亚马逊的一面，他们做同样的事情。它们采取的所有参数（除了签名），命令它们，并使用该秘密密钥哈希。如果这个签名匹配，他们知道该请求是合法的。

IIRC, Amazon accomplishes this by taking all the parameters to the request, and ordering them by parameter name. Then, this string is hashed, using the user's secret key as the hash key. This new value is appended as a new parameter to the request prior to being sent. On Amazon's side, they do the same thing. They take all parameters (except the signature), order them, and hash using the secret key. If this matches the signature, they know the request is legitimate.

这里的缺点是复杂性。获取此方案正常工作是一种​​痛苦，既为API开发人员和客户端。预计大量的支持电话和电子邮件愤怒从客户开发谁不能得到的东西的工作。

The downside here is complexity. Getting this scheme to work correctly is a pain, both for the API developer and the clients. Expect lots of support calls and angry emails from client developers who can't get things to work.

的OAuth

要打击一些与键+秘密签署的复杂性问题，标准已经出现所谓的的OAuth 。在核心OAuth是键+秘密签署的味道，但其中很大一部分是标准化的，并已纳入许多语言库

To combat some of the complexity issues with key + secret signing, a standard has emerged called OAuth. At the core OAuth is a flavor of key + secret signing, but much of it is standardized and has been included into libraries for many languages.

在一般情况下，它是在API的生产者和消费者都更易于使用OAuth而不是创建自己的密钥/签名系统。

In general, it's much easier on both the API producer and consumer to use OAuth rather than creating your own key/signature system.

OAuth的本身还细分访问，为每个API消费者不同的访问凭据。这使得用户可以选择性地取消访问，而不影响其消费的其他应用程序。

OAuth also inherently segments access, providing different access credentials for each API consumer. This allows users to selectively revoke access without affecting their other consuming applications.

具体为Ruby，有一个 OAuth的宝石提供支持出来的OAuth的生产者和消费者的开箱。我已经使用这个宝石建立一个API，也消耗OAuth的API和非常IM pressed。如果你认为你的应用程序需要的OAuth（相对于简单的API密钥方案），那么我可以很容易地推荐使用OAuth的宝石。

Specifically for Ruby, there is an OAuth gem that provides support out of the box for both producers and consumers of OAuth. I have used this gem to build an API and also to consume OAuth APIs and was very impressed. If you think your application needs OAuth (as opposed to the simpler API key scheme), then I can easily recommend using the OAuth gem.

这篇关于寻找建议on Rails的构建在Ruby中一个安全的REST API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！