問題描述

有許多在線資源提供 JavaScript API 來訪問他們的服務(wù).為了更清楚，我的問題將基于 MapBox 的示例，但這適用于許多其他服務(wù)在各個領(lǐng)域.

There are numerous online resources which provide JavaScript APIs to access their services. To be more clear, I will base my question on the example of MapBox, but this applies well to many other services in various domains.

當(dāng)有人想在 Web 應(yīng)用程序中使用此類服務(wù)??(例如 MapBox 中的地圖圖像)時，他們通常需要注冊/注冊并獲取 訪問令牌 才能訪問該服務(wù).

When someone wants to use such a service in a web application (like the map imagery from MapBox for example), they typically need to Register/Sign Up and obtain an access token to access the service.

現(xiàn)在，如果我從服務(wù)器端使用 API - 沒有問題:我知道我的令牌安全地存儲在服務(wù)器上的某個位置，并且僅在我的服務(wù)器和服務(wù)提供商之間進(jìn)行通信時公開，這可以長是 HTTPS.但是，對于 JavaScript API(例如，如果我使用 Leaflet 從 MapBox 呈現(xiàn)地圖)，我是應(yīng)該在暴露給用戶的網(wǎng)絡(luò)瀏覽器的 JavaScript 中具有 我的訪問令牌 - 因此它可以非常容易地找到某人的訪問令牌.我的用戶，或者在公共服務(wù)的情況下，實際上是任何人，都可以在瀏覽器的開發(fā)工具"中找到令牌.

Now, if I would use the API from the server side - there is no issue: I know my token is stored securely somewhere on the server and is only exposed upon communication between my server and the service provider, which is OK as long it is HTTPS. However, in case of a JavaScript API (for example if I use Leaflet to render a map from MapBox), I am supposed to have my access token in a JavaScript which is exposed to the user's web browser - and so it makes it extremely easy to find someone's access token. My users, or in a case of a public service, literally anyone, would be able to find the token in the browser's "Dev Tools".

然而，就我而言，這個令牌應(yīng)該被視為一種有意義的數(shù)據(jù)——服務(wù)使用情況是根據(jù)這個令牌提供的身份驗證來跟蹤的.如果您根據(jù)使用情況為服務(wù)付費(fèi)，這將變得至關(guān)重要，但即使您不這樣做(例如，如果您使用免費(fèi)/入門/非付費(fèi)計劃) - 服務(wù)使用是有限的，我想確定一下只有我使用它.

This token however, as for me, should be considered as a sensetive data - service usage is tracked based on the authentication this token provides. If you pay for the service based on its usage it becomes critical, but even if you don't (like, if you use a Free/Starter/Non Paid plan) - service usage is limited and I'd like to be sure it is only me who uses it.

我唯一的選擇是通過我自己的網(wǎng)絡(luò)服務(wù)器代理嗎?

Is my only option a proxy via my own web server?

如果 JavaScript 在用戶的瀏覽器中執(zhí)行，有沒有辦法保護(hù) JavaScript API 用來訪問外部服務(wù)的訪問令牌?

Is there a way to secure the access token used by a JavaScript API to access an external service, provided that JavaScript is executed in a user's browser?

推薦答案

使用 CORS 限制訪問

使用 CORS 設(shè)置讓您的網(wǎng)絡(luò)服務(wù)器在 ajax 請求中返回訪問令牌.可以使用此方法訪問您的應(yīng)用程序來捕獲令牌.

Make your web server return the access tokens on an ajax request from you javascript with CORS setup. Token can be captured with this method visiting your app.

向授權(quán)用戶提供令牌

您還可以在您的網(wǎng)絡(luò)服務(wù)器上添加身份驗證，以向您允許的用戶提供有限的訪問權(quán)限.令牌可以使用此方法獲取，但只能由授權(quán)用戶獲取.

You can also add authentication on your webserver to provide limited access to the users you allow. Token can be captured with this method but only by authorized users.

代理請求

完全保護(hù)該令牌的唯一方法是通過您的服務(wù)器代理請求.使用此方法無法捕獲令牌.請注意，這可能違反服務(wù)條款.

The only way to completely protect that token is to proxy the requests through your server. Token cannot be captured with this method. Note that this may be against terms of service.

這篇關(guān)于如何保護(hù) JavaScript API 訪問令牌?的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！