weixin_33698043 2018-11-06 13:31 采纳率: 0%
浏览 353

如何保护主API密钥?

I created a Restful API, a website (ReactJS/Ruby on Rails), and a mobile app(React Native).

I am using the API to show and process data on the website and the mobile app.

In the website, I am using jQuery AJAX requests that somehow looks like this:

...some other code
componentDidMount () {
  $.getJSON('https://example.com/api/v1/accounts?key=MASTER-API-KEY', (data) => {
    this.setState({
      accounts: data.accounts
    });
  });
}
...some other code

In the mobile app, I am using fetch that somehow looks like this:

...some other code
fetch('https://example.com/api/v1/accounts?key=MASTER-API-KEY', {
  method: 'GET',
...some other code

The users also have their own API keys with limited privilege based on their user level.

I already have the validation to process the request if only they have sent a valid API key. But on the website and the app, I am using a master API key that has access to all.

I believe that this can be seen in the source file on the website and it can be reverse engineered in the mobile app.

The possible solution that I have for the website is to make the process in the server instead of using AJAX, but how can I access it on my ReactJS components?

For the mobile app, should I switch to using Swift/Java and make the request there instead of fetch?

  • 写回答

3条回答 默认 最新

  • weixin_33716941 2018-11-06 13:43
    关注

    This should work if you are developing on node (as i guess you are):

    using process.env by hackernoon

    评论

报告相同问题?

悬赏问题

  • ¥15 我需要全国每个城市的最新小区名字等数据。
  • ¥15 开发一个小区生态的小程序
  • ¥15 MddBootstrapInitialize2失败
  • ¥15 LCD Flicker
  • ¥15 Spring MVC项目,访问不到相应的控制器方法
  • ¥15 esp32在micropython环境下使用ssl/tls连接mqtt服务器出现以下报错Connected on 192.168.154.223发生意外错误: 5无法连接到 MQTT 代理,如何解决?
  • ¥15 关于#genesiscsheel#的问题,如何解决?
  • ¥15 Android aidl for hal
  • ¥15 STM32CubeIDE下载程序报错
  • ¥15 微信好友如何转变为会员系统?(相关搜索:小程序)