dttwois6098 2017-09-03 14:37
浏览 51
已采纳

在Javascript中传递API令牌:如何保持安全

The following script queries information from an API and outputs it into the HTML, using simple AJAX and Javascript.

The TOKEN for the API is exposed in the Javascript. In my opinion this is not safe because anybody who can access the page can see the token. IF this method is not safe, is there some additional method to hide the token? Ideally I would like to use Javascript, HTML, and PHP if needed. The existing script is very simple and so I'm wondering if there is a relatively simple way to protect the token.. rather than having to add a lot of additional new code or methods.

<html>
<body>

<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script>

<script>
  var settings = {
    "async": true,
    "crossDomain": true,
     "url": "https://www.eventbriteapi.com/v3/events/eventid/?
token=TOKEN",
    "method": "GET",
    "headers": {}
  }

  $.ajax(settings).done(function (data) {
    console.log(data);
    var content = "<h2>" + data.name.text + "</h2>" + data.description.html + 
data.start.utc;
    $("#eventbrite").append(content);
  });
</script>

<div id="eventbrite"></div>

</body>
</html>
  • 写回答

3条回答 默认 最新

  • douchujian8124 2017-09-03 16:15
    关注

    You can make a simple proxy script on your server using PHP!

    Your JavaScript will then call this script, including the event ID and nothing else in the GET parameter, so calling your PHP Proxy would be something like /proxy.php?eventid=123

    To further fancify this example you could utilize $_SESSION etc to make sure your user has visiter the page before visit and only allow 1 request per pageload or something similar.

    I have prepared a sample, but you have to modify it to fit your needs!

    <?php

//Get event ID you want to request:
$eventID = isset($_GET['eventid']) ? $_GET['eventid'] : FALSE;

//Exit if no ID provided:
if (!$eventID) {
    exit('No ID Provided.');
}

//Set your token:
$token = '<YOUR_TOKEN_HERE>';

//Set url, %s will be replaced later:
$url = 'https://www.eventbriteapi.com/v3/events/%s/?token=%s';

//Set url, pass in params:
$request_uri = sprintf($url, $eventID, $token);

//Try to fetch:
$response = file_get_contents($request_uri);

//Set content-type to application/json for the client to expect a JSON response:
header('Content-type: application/json');

//Output the response and kill the scipt:
exit($response);

    Resources: What is a Proxy (Wikipedia)

    Update: JavaScript:

    $.getJSON('/proxy.php', {eventid: '<id_here>'}, function(response){
    console.log(response);
    var content = "<h2>" + data.name.text + "</h2>" + data.description.html + 
    data.start.utc;
    $("#eventbrite").append(content);
});
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥35 平滑拟合曲线该如何生成
  • ¥100 c语言,请帮蒟蒻写一个题的范例作参考
  • ¥15 名为“Product”的列已属于此 DataTable
  • ¥15 安卓adb backup备份应用数据失败
  • ¥15 eclipse运行项目时遇到的问题
  • ¥15 关于#c##的问题:最近需要用CAT工具Trados进行一些开发
  • ¥15 南大pa1 小游戏没有界面,并且报了如下错误,尝试过换显卡驱动,但是好像不行
  • ¥15 自己瞎改改,结果现在又运行不了了
  • ¥15 链式存储应该如何解决
  • ¥15 没有证书,nginx怎么反向代理到只能接受https的公网网站