发表新帖
发表新帖

Securing my Node.js app's REST API?

前端 未结
关注
4 1454
孤独总比滥情好
孤独总比滥情好 2021-01-29 17:53

I could do with some help on my REST API. I\'m writing a Node.js app which is using Express, MongoDB and has Backbone.js on the client side. I\'ve spent the last two days trying

4条回答
  • 走了就别回头了
    走了就别回头了 (楼主)
    2021-01-29 18:42

    In order of increasing security / complexity:

    Basic HTTP Auth

    Many API libraries will let you build this in (Piston in Django for example) or you can let your webserver handle it. Both Nginx and Apache can use server directives to secure a site with a simple b64encoded password. It's not the most secure thing in the world but it is at least a username and password!

    If you're using Nginx you can add a section to your host config like so:

    auth_basic "Restricted";
auth_basic_user_file /path/to/htpasswd;

    (Put it in your location / block)

    Docs: http://wiki.nginx.org/HttpAuthBasicModule

    You'll need to get the python script to generate that password and put the output into a file: http://trac.edgewall.org/browser/trunk/contrib/htpasswd.py?format=txt

    The location of the file doesn't matter too much as long as Nginx has access to it.

    HTTPS

    Secure the connection from your server to the app, this is the most basic and will prevent man in the middle attacks.

    You can do this with Nginx, the docs for it are very comprehensive: http://wiki.nginx.org/HttpSslModule

    A self-signed certificate for this would be fine (and free!).

    API Keys

    These could be in any format you like but they give you the benefit of revoking access should you need to. Possibly not the perfect solution for you if you're developing both ends of the connection. They tend to be used when you have third parties using the API, eg Github.

    OAuth

    OAuth 2.0 is the one to go with here. While I don't know the underlying workings of the spec it's the defacto standard for most authentication now (Twitter, Facebook, Google, etc.) and there are a ton of libraries and docs to help you get those implemented. That being said, it's usually used to authenticate a user by asking a third party service for the authentication.

    Given that you doing the development both ends it would probably be enough to put your API behind Basic HTTP Auth and serve it over HTTPS, especially if you don't want to waste time messing around with OAuth.

    0 讨论(0)
 看不清?
提交回复
热议问题