dttwois6098 2017-09-03 14:37
浏览 51
已采纳

在Javascript中传递API令牌:如何保持安全

The following script queries information from an API and outputs it into the HTML, using simple AJAX and Javascript.

The TOKEN for the API is exposed in the Javascript. In my opinion this is not safe because anybody who can access the page can see the token. IF this method is not safe, is there some additional method to hide the token? Ideally I would like to use Javascript, HTML, and PHP if needed. The existing script is very simple and so I'm wondering if there is a relatively simple way to protect the token.. rather than having to add a lot of additional new code or methods.

<html>
<body>

<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script>

<script>
  var settings = {
    "async": true,
    "crossDomain": true,
     "url": "https://www.eventbriteapi.com/v3/events/eventid/?
token=TOKEN",
    "method": "GET",
    "headers": {}
  }

  $.ajax(settings).done(function (data) {
    console.log(data);
    var content = "<h2>" + data.name.text + "</h2>" + data.description.html + 
data.start.utc;
    $("#eventbrite").append(content);
  });
</script>

<div id="eventbrite"></div>

</body>
</html>
  • 写回答

3条回答 默认 最新

  • douchujian8124 2017-09-03 16:15
    关注

    You can make a simple proxy script on your server using PHP!

    Your JavaScript will then call this script, including the event ID and nothing else in the GET parameter, so calling your PHP Proxy would be something like /proxy.php?eventid=123

    To further fancify this example you could utilize $_SESSION etc to make sure your user has visiter the page before visit and only allow 1 request per pageload or something similar.

    I have prepared a sample, but you have to modify it to fit your needs!

    <?php

//Get event ID you want to request:
$eventID = isset($_GET['eventid']) ? $_GET['eventid'] : FALSE;

//Exit if no ID provided:
if (!$eventID) {
    exit('No ID Provided.');
}

//Set your token:
$token = '<YOUR_TOKEN_HERE>';

//Set url, %s will be replaced later:
$url = 'https://www.eventbriteapi.com/v3/events/%s/?token=%s';

//Set url, pass in params:
$request_uri = sprintf($url, $eventID, $token);

//Try to fetch:
$response = file_get_contents($request_uri);

//Set content-type to application/json for the client to expect a JSON response:
header('Content-type: application/json');

//Output the response and kill the scipt:
exit($response);

    Resources: What is a Proxy (Wikipedia)

    Update: JavaScript:

    $.getJSON('/proxy.php', {eventid: '<id_here>'}, function(response){
    console.log(response);
    var content = "<h2>" + data.name.text + "</h2>" + data.description.html + 
    data.start.utc;
    $("#eventbrite").append(content);
});
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 乌班图ip地址配置及远程SSH
  • ¥15 怎么让点阵屏显示静态爱心,用keiluVision5写出让点阵屏显示静态爱心的代码,越快越好
  • ¥15 PSPICE制作一个加法器
  • ¥15 javaweb项目无法正常跳转
  • ¥15 VMBox虚拟机无法访问
  • ¥15 skd显示找不到头文件
  • ¥15 机器视觉中图片中长度与真实长度的关系
  • ¥15 fastreport table 怎么只让每页的最下面和最顶部有横线
  • ¥15 java 的protected权限 ,问题在注释里
  • ¥15 这个是哪里有问题啊?