本文是小编为大家收集整理的关于有没有办法在React JS中保护API密钥,即使它在客户端?的处理/解决方法,可以参考本文帮助大家快速定位并解决问题,中文翻译不准确的可切换到English标签页查看源文。
问题描述
在React JavaScript文件上使用API密钥时是否有可以保护API?例如;
emailjs.init("API_KEY");
推荐答案
您可能需要检查Google Firebase如何进行纯客户端身份验证: https:https:https:https:https:https://firebase.google.com/products/auth/
编辑: 使用API-Keys,Oauth等对身份验证的一般介绍(来源:Bulding Web应用程序的Codecademy课程)可能有助于了解API键的意义以及为什么不需要确保它们的必要性.原因是,如本文所述,还有其他处理秘密信息的方法.
身份验证
简介
身份验证是应用程序用于确定和确认用户身份的过程.它确保向用户显示正确的内容.更重要的是,它可以确保未经授权的用户确保不正确的内容.
在本文中,我们将讨论这些交互的一些常见设计模式.您需要对HTTP请求有一些基本的了解,因为这些方法都使用HTTP请求来交换信息.
密码身份验证
最常见的身份验证实现要求用户输入其用户名或电子邮件和密码.然后,应用程序的服务器检查提供的凭据以确定用户是否存在以及提供的密码是否正确.如果凭据是正确的,则用户将登录并能够将应用程序用作用户.
通常,在成功登录时,该应用程序将使用身份验证令牌(或auth令牌)响应,供客户端用于其他HTTP请求.然后将该令牌存储在用户的计算机上,以阻止用户不断登录.
这个令牌通常在一定时间后到期,确保正确的用户也随着时间的推移使用该应用程序.
api键
通常将身份验证视为人用户与应用程序之间的相互作用,但有时用户是另一个应用程序.
许多应用程序以API(应用程序程序界面)的形式将接口公开其信息.例如,Spotify API几乎为其所有功能提供了端点.这允许应用程序从Spotify音乐目录中获取数据并管理用户的播放列表并保存音乐.
由于这些外部请求可能会淹没服务并访问用户信息,因此需要使用身份验证来确保它们.
从另一个应用程序访问API的最基本模式是使用API键.
公共API通常提供开发人员门户网站,您可以在其中注册应用程序并生成相应的API密钥.然后,此键是您应用程序唯一的.当您的应用程序提出请求时,此键将随之发送.然后,API可以验证您的应用程序是否可以访问并根据您的应用程序的权限提供正确的响应.
API可以跟踪每个应用程序正在提出的请求的类型和频率.该数据可用于从特定应用程序到预定义的服务级别的油门请求.这样可以防止应用程序垃圾邮件或滥用用户数据,因为API可以轻松阻止该应用程序的API密钥并防止该应用程序进一步恶意使用API.
oauth
对于许多应用程序,通用开发人员级的API密钥还不够.如前所述,API有时有能力提供对用户级数据的访问.但是,大多数服务仅在用户启用时提供此私人数据.
例如,Facebook不希望Tinder访问所有用户的数据,只是选择允许数据共享以更好地帮助他们在其区域中找到匹配的用户.
解决此问题的一种基本方法可能是让用户向中介应用程序提供其登录凭据,但这不是很安全,并且可以完全访问请求应用程序,而请求应用程序可能只需要非常有限的功能的特权集.
oauth 定义了解决此问题的更优雅的方法.它是2006年11月由Twitter开发人员Blaine Cook开发的,并于2010年4月发布.
.oauth是开放标准,通常用于授予应用程序的许可,以访问用户信息而不强迫用户赠送密码.
开放标准是某些功能应如何工作的公开定义.但是,该标准实际上并未构建该功能.
因此,每个API都必须实现自己的OAuth版本,因此可能具有略有不同的实现或流程.但是,它们都基于相同的OAuth规范.
这可以使新的OAuth API更令人沮丧.但是,随着时间的流逝,您将开始注意到API身份验证流之间的相似之处,并能够越来越轻松地在应用程序中使用它们.以下是标准OAuth流的摘要.
通用oauth流
实施OAuth的许多应用程序将首先要求用户选择要用于凭据的服务:
使用Google,Facebook或Twitter登录
选择服务后,用户将被重定向到服务登录.此登录名确认用户的身份,通常为用户提供了始生应用程序正在尝试在用户帐户上获得的权限列表.
如果用户确认要允许此访问权限,则将与访问令牌一起重定向到原始站点.然后,此访问令牌由原始应用程序保存.
像开发人员API密钥一样,该应用程序的请求将包含此访问令牌,以证明用户已授予访问权限并启用对该用户的适当内容访问.当用户返回应用程序时,将检索令牌,他们将不必重新认证.
oauth 2
由于Oauth从Twitter中演变出来,因此最初不被视为规范的一部分.最终,这导致创建了新版本的规范,称为OAuth2.
除其他改进外,OAuth 2允许根据请求访问的特定应用程序和请求的访问级别进行不同的身份验证流.
oauth 2仍然是一个开放的标准,因此每个API都会根据其特定实现具有自己的流程.下面,我们将讨论一些常见的OAuth 2流以及如何使用它们.
客户凭据授予
有时,应用程序将不需要访问用户信息,但可能会实现OAuth 2规范的附加安全性和一致性.这种类型的赠款用于访问应用程序级数据(类似于上面的开发人员API密钥),最终用户不参与此流程.
而不是API密钥,一个客户端ID和客户端秘密(在应用程序被授权使用API时提供给应用程序的字符串)用于访问令牌(有时是刷新令牌).我们将在稍后更深入地讨论刷新令牌.
此流量类似于我们的第一个示例,在该示例中,将电子邮件和密码交换为身份验证令牌.
必须确保客户秘密不会像密码一样成为公共信息.结果,开发人员应小心不要意外将此信息提交给公共GIT存储库.此外,为了确保秘密密钥的完整性,不应在客户端公开,所有包含它的请求都应发送服务器端.
类似于先前提到的键,返回的访问令牌由请求包括在内,以识别客户提出请求并受API限制的约束.
此访问令牌通常是短暂的,经常到期.到期后,可以通过重新订购客户凭证或优选刷新令牌来获得新的访问令牌.
刷新令牌是OAuth 2更新的重要功能,鼓励访问令牌经常过期,因此,不断更改(在原始的OAuth规范中,访问令牌可以持续到多年范围内) .当使用刷新令牌生成新的访问令牌时,它通常会到期任何以前的访问令牌.
授权代码授予
此流程是OAuth最常见的实现之一,如果您曾经与Google或Facebook签署Web应用程序,则看起来会很熟悉.它类似于前面描述的OAuth流,并添加了一个将请求应用程序链接到身份验证的步骤.
用户被重定向到身份验证的网站,验证请求访问和权限的应用程序,并通过授权代码重定向到Referring站点.
然后,请求应用程序获取此代码,并将其提交给身份验证的API,以及应用程序的客户ID和客户端秘密,以接收访问令牌和刷新令牌.然后以与以前的流相同的方式使用此访问令牌和刷新令牌.
要避免公开客户端ID和秘密,应在请求应用程序的服务器端完成流程的这一步骤.
由于令牌既与用户和请求应用程序都绑在一起,因此API对基于用户行为,应用程序行为或两者兼而有之的限制访问权限有很大的控制.
隐性授予
前两种方法导致客户端秘密密钥暴露,因此需要处理服务器端.一些应用程序可能需要访问OAuth API,但没有必要的服务器端功能来确保此信息安全.
隐式授予OAuth流是为这种非常有用情况设计的.该流程提示用户通过类似的授权步骤与授权代码流相似,但不涉及客户秘密的交换.
这种交互的结果是访问令牌,通常没有刷新令牌.然后,应用程序使用访问令牌向服务提出其他请求,但未发送到请求应用程序的服务器端.
此流程允许应用程序使用OAuth API,而不必担心可能会长期访问用户或应用程序的信息.
结论
oauth提供了对各种站点和信息的强大访问权限.通过正确使用它,您可以减少注册摩擦并丰富应用程序中的用户体验.
其他推荐答案
否,如果公开场合,它是公开的.
但是您可以设置一个服务器,该服务器会在后台处理通信,以便您将钥匙保密. 在壁炉的情况下,它不应该存在安全风险. 在此处查看此答案
问题描述
Is there anyway to secure an API key when using it on a React javascript file ? For example;
emailjs.init("API_KEY");
推荐答案
You may want to check how Google Firebase does pure client-side authentication: https://firebase.google.com/products/auth/
Edited: This general introduction to Authentication using API-keys, OAuth etc (source: codecademy course on bulding web-apps) may help understand what API keys are meant for and why it should't be necessary to secure them. The reason is that there are other ways to deal with secret information, as described in this article.
Authentication
INTRODUCTION
Authentication is the process used by applications to determine and confirm identities of users. It ensures that the correct content is shown to users. More importantly, it ensures that incorrect content is secured and unavailable to unauthorized users.
In this article, we’ll discuss a few of the common design patterns for these interactions. You’ll need to have some basic understanding of HTTP requests, since these methods all use HTTP requests to exchange information.
PASSWORD AUTHENTICATION
The most common implementation of authentication requires a user to input their username or email and a password. The application's server then checks the supplied credentials to determine if the user exists and if the supplied password is correct. If the credentials are correct, the user is logged in and able to use the application as thatthe user.
Typically, upon a successful login, the application will respond with an authentication token (or auth token) for the client to use for additional HTTP requests. This token is then stored on the user's computer, preventing the need for users to continuously log in.
This token generally expires after a certain amount of time, ensuring the correct user is using the application over time as well.
API KEYS
While it is common to think of authentication as the interaction between a human user and an application, sometimes the user is another application.
Many apps expose interfaces to their information in the form of an API (application program interface). For example, the Spotify API provides endpoints for almost all of its functionality. This allows applications to fetch data from the Spotify music catalog and manage user’s playlists and saved music.
Since these external requests could overwhelm a service and also access user information, they need to be secured using authentication.
The most basic pattern for API access from another application is using an API key.
Public APIs usually provide a developer portal where you can register your application and generate a corresponding API key. This key is then unique to your application. When your application makes a request, this key is sent along with it. The API can then verify that your application is allowed access and provide the correct response based on the permission level of your application.
The API can track what type and frequency of requests each application is making. This data can be used to throttle requests from a specific application to a pre-defined level of service. This prevents applications from spamming an endpoint or abusing user data, since the API can easily block that application's API key and prevent further malicious use of the API by that application.
OAUTH
For many applications, a generic developer-level API key is not sufficient. As mentioned earlier, APIs sometimes have the ability to provide access to user-level data. However, most services only provide this private data if the user enables it.
For example, Facebook doesn't want Tinder to access all of their users' data, just the users who have opted in to allowing the sharing of data to better help them find a match in their area.
A basic approach to this problem might be to have the user provide their login credentials to the intermediary application, but this is not very secure and would give full access to the requesting application, when the requesting application might only need a very limited set of privileges to function.
OAuth defines a more elegant approach to this problem. It was developed in November 2006 by lead Twitter developer Blaine Cook and version 1.0 was published in April 2010.
OAuth is an open standard and is commonly used to grant permission for applications to access user information without forcing users to give away their passwords.
An open standard is a publicly available definition of how some functionality should work. However, the standard does not actually build out that functionality.
As a result, each API is required to implement their own version of OAuth and therefore may have a slightly different implementation or flow. However, they're all based around the same OAuth specification.
This can make using a new OAuth API a little more frustrating. However, with time you will begin noticing the similarities between API authentication flows and be able to use them in your applications with increasing ease. Below is a summary of the standard OAuth flow.
GENERIC OAUTH FLOW
Many applications implementing OAuth will first ask the user to select which service they would like to use for credentials:
Login with Google, Facebook or Twitter
After selecting the service, the user will be redirected to the service to login. This login confirms the user’s identity and typically provides the user with a list of permissions the originating application is attempting to gain on the user’s account.
If the user confirms they want to allow this access, they will be redirected back to the original site, along with an access token. This access token is then saved by the originating application.
Like a developer API key, this access token will be included on requests by the application to prove that the user has granted access and enable access to the appropriate content for that user. When a user returns to the application, the token will be retrieved and they will not have to re-authenticate.
OAUTH 2
Since OAuth evolved out of Twitter, there were important use cases not originally considered as part of the specification. Eventually, this led to the creation of a new version of the specification, called OAuth 2.
Among other improvements, OAuth 2 allows for different authentication flows depending on the specific application requesting access and the level of access being requested.
OAuth 2 is still an open standard, so each API will have its own flow based on its particular implementation. Below, we’ll discuss a few of the common OAuth 2 flows and how they are used.
CLIENT CREDENTIALS GRANT
Sometimes an application will not need access to user information but may implement the added security and consistency of the OAuth 2 specification. This type of grant is used to access application-level data (similar to the developer API key above) and the end user does not participate in this flow.
Instead of an API key, a client ID and a client secret (strings provided to the application when it was authorized to use the API) are exchanged for an access token (and sometimes a refresh token). We will discuss refresh tokens in more depth later.
This flow is similar to our first example, where an email and password were exchanged for an authentication token.
It is essential to ensure the client secret does not become public information, just like a password. As a result, developers should be careful not to accidentally commit this information to a public git repository. Additionally, to ensure integrity of the secret key, it should not be exposed on the client-side and all requests containing it should be sent server-side.
Similar to the previously-mentioned keys, the returned access token is included on requests to identify the client making the requests and is subject to API restrictions.
This access token is often short-lived, expiring frequently. Upon expiration, a new access token can be obtained by re-sending the client credentials or, preferably, a refresh token.
Refresh tokens are an important feature of the OAuth 2 updates, encouraging access tokens to expire often and, as a result, be continuously changed (in the original OAuth specification, access tokens could last for time periods in the range of years). When a refresh token is used to generate a new access token, it typically expires any previous access tokens.
AUTHORIZATION CODE GRANT
This flow is one of the most common implementations of OAuth and will look familiar if you’ve ever signed into a web application with Google or Facebook. It is similar to the OAuth flow described earlier with an added step linking the requesting application to the authentication.
A user is redirected to the authenticating site, verifies the application requesting access and permissions, and is redirected back to the referring site with an authorization code.
The requesting application then takes this code and submits it to the authenticating API, along with the application’s client ID and client secret to receive an access token and a refresh token. This access token and refresh token are then used in the same manner as the previous flow.
To avoid exposing the client ID and secret, this step of the flow should be done on the server side of the requesting application.
Since tokens are tied both to users and requesting applications, the API has a great deal of control over limiting access based on user behavior, application behavior, or both.
IMPLICIT GRANT
The previous two methods cause the client secret key to be exposed, so they need to be handled server-side. Some applications may need to access an OAuth API but don't have the necessary server-side capabilities to keep this information secure.
The Implicit Grant OAuth flow was designed for this very use case. This flow prompts the user through similar authorization steps as the Authorization Code flow, but does not involve the exchange of the client secret.
The result of this interaction is an access token, and typically no refresh token. The access token is then used by application to make additional requests to the service, but is not sent to the server side of the requesting application.
This flow allows applications to use OAuth APIs without fear of potentially exposing long-term access to a user or application's information.
CONCLUSION
OAuth provides powerful access to a diverse set of sites and information. By using it correctly, you can reduce sign-up friction and enrich user experience in your applications.
其他推荐答案
No, if it's out in public, it is public.
But you can set up a server that takes care of the communication in the background so you key would be kept secret. In the case of Firebase it seams, that there shouldn't be a security risk though. See this answer here
更多相关问答
联系站长