保护客户端API [英] Securing a client-side API
问题描述
我正在为基于JavaScript的游戏构建一个服务器端API和客户端库,其中必须保证两个非常重要的功能。
- 必须为每个玩家扣除一个用户
- 我们必须确保提交的分数是玩家实际获得的分数。
解决第一个问题似乎很简单,在每次播放的开始,我们点击API,借记用户的帐户,并返回一个唯一的播放ID。当我们提交该玩家的用户评分时,我们会传递开始时发布的ID。
第二个是我有点难过。最初,我考虑了基于ID和分数的客户端哈希算法,但很快意识到生成哈希的Javascript即使被混淆也很容易被反向设计。在这一点上,我考虑了一个小的闪存组件生成哈希,但我听说,即使编译的Flash可以反编译。
对于添加的上下文,我打算建立在Ruby中的服务器端API。
我很想听听Stack Overflow的聪明程序员提供的任何建议。感谢您的时间!
编辑:下面的Homer6的答案是更复杂的游戏的一个很好的解决方案,但不幸的是,游戏不适合这样的方法。这是一个非常短的时间为基础的游戏,所以分数只是你需要完成一个级别的时间。
作为一个经验法则,假设客户端的任何东西都可以伪造。
I'm building a server-side API and client-side library for a JavaScript-based game where two very important features must be secured.
- A user must be debited for each play
- We must ensure that the score that gets submitted is the actual earned score by the player.
Solving the first problem seems simple; at the beginning of each play we hit the API, debit the user's account and return a unique Play ID. When we submit the user's score for that play, we pass the ID issued at the beginning.
The second one has me a little stumped. Initially I considered a client-side hashing algorithm based on the ID and the score, but quickly realized that the Javascript that produces the hash could easily be reverse-engineered, even if it was obfuscated. At this point I considered a small flash component that generates the hash, but I've heard that even compiled flash can be decompiled.
For added context, I plan to build the server side API in Ruby.
I'd love to hear any suggestions the clever programmers of Stack Overflow have to offer. Thanks for your time!
Edit: The answer by Homer6 below is a very good solution for more sophisticated games, but unfortunately the simplicity of this game doesn't merit a method like that. It's a very short-play time based game, so the score is just the time it takes you to complete a level.
As a rule of thumb just assume that anything in the client side can be faked.
这篇关于保护客户端API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!