I've been looking over the web for a little while but couldn't grasp the concept of making private API only between front-end and back-end. what I essentially want to do is to have an API that's only accessible through the front-end, not through curl, postman or anything else.
我已经在web上浏览了一段时间,但是还不能理解只在前端和后端之间创建私有API的概念。我本质上想要做的是拥有一个只能通过前端访问的API,而不是通过curl、postman或其他任何东西。
I have the following setup:
我有以下设置:
-
App is hosted on Heroku, backend is in nodejs
应用程序托管在Heroku上,后端是nodejs。
-
I use https connection that I self-generated via let's encrypt tool.
我使用我自己通过let's加密工具生成的https连接。
-
I have a public API atm that returns a string 'Hello world'
我有一个公共API atm,它返回一个字符串" Hello world "
-
Currently, you can access it either via front-end or by going to www.example.com/api/test but what I would like to do is not allow the user to manually visit the link or use curl or postman to get that but instead only make it accessible through the front-end.
目前,您可以通过前端访问它,也可以通过www.example.com/api/test访问它,但是我想做的是不允许用户手动访问链接,也不允许用户使用curl或postman来获取链接,而是只允许用户通过前端访问它。
-
The front-end is written in Angular 2 (if it matters at all)
前端是角2(如果有关系的话)
Note, that I am not planning to have any user sign in on the website, I simply want to restrict access to the API to outside world so that only my front-end can get it.
注意,我不打算让任何用户登录网站,我只是想限制对API的外部访问,以便只有我的前端才能获得。
UPDATE USE CASE
更新用例
The use case in the future is simple. I have a basic sign up form which asks for email address and a text description. I then use nodemailer on the backend to send that information to the gmail using POST request from Angular 2. I access the data sent through req.on('data') and req.on('end') and process it. My fear is how do I make sure I am not gonna get spammed through that API and receive 10k emails hence my wish to somehow make the API only accessible through the front-end.
未来的用例很简单。我有一个基本的注册表,要求电子邮件地址和文本描述。然后我在后端使用nodemailer,使用角2的POST请求将信息发送到gmail。我访问通过req.on(“data”)和req.on(“end”)发送的数据并对其进行处理。我担心的是,我如何确保我不会在API中收到垃圾邮件并收到10k的电子邮件,因此我希望以某种方式使API只能通过前端访问。
1 个解决方案
#1
2
While you cannot prevent a REST service from being called by the whole internet, you can still prevent spamming : Your service requiring authentication or not, it's always the same mechanism, using a captcha ( the most important part ) and rate-limiting your API.
虽然不能阻止整个internet调用REST服务,但是仍然可以防止垃圾邮件:您的服务是否需要身份验证,它始终是相同的机制,使用captcha(最重要的部分)和限制API的速度。
1. CAPTCHA :
The best way to ensure that the client making the request to a server is driven by a human-being is a captcha.
确保向服务器发出请求的客户端由人驱动的最佳方式是验证码。
CAPTCHA :
A CAPTCHA (a backronym for "Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge-response test used in computing to determine whether or not the user is human.
CAPTCHA(完全自动化的公开图灵测试,用来区分计算机和人类)是一种用于计算的挑战-响应测试,用来确定用户是否是人类。
You can find plenty of services, or libraries that will create captchas, like Google's reCAPTCHA.
您可以找到大量的服务,或者创建captcha的库,比如谷歌的reCAPTCHA。
2. rate limiting :
-
For a public service, you can rate-limit access by IP : if the same IP makes 10, 100, or even 1000 requests (depending on the purpose of that service), that's a bit suspicious, so you can refuse to serve him, by sending an error status, and logging that unfair behavior to the application logs. So the sysadmin can ban the IP at the firewall level with a tool like fail2ban.
公共服务,您可以通过IP访问限速:如果同一个IP使10,100,甚至1000个请求(取决于服务的目的),这有点可疑,所以你可以拒绝为他服务,通过发送一个错误状态和日志应用程序日志不公平的行为。因此,系统管理员可以使用fail2ban之类的工具在防火墙级别禁止IP。
-
For an authenticated service, well that's the same except you might also want to rate-limit the API based on the IP and on its identity, and might not want to ban an authenticated user...
对于经过验证的服务,这是一样的,除了您可能还想根据IP和其标识限制API的速率,并且可能不想禁止经过验证的用户……
Note that you don't really have to handle the rate-limit yourself, for a public API, meaning that preventing the same IP to make 1000 POST request to the same url in 10 seconds is something that can and should be done by a sysadmin.
注意,对于公共API,您不必亲自处理速率限制,这意味着在10秒内阻止相同的IP向相同的url发出1000个POST请求是系统管理员可以而且应该做的事情。
#1
2
While you cannot prevent a REST service from being called by the whole internet, you can still prevent spamming : Your service requiring authentication or not, it's always the same mechanism, using a captcha ( the most important part ) and rate-limiting your API.
虽然不能阻止整个internet调用REST服务,但是仍然可以防止垃圾邮件:您的服务是否需要身份验证,它始终是相同的机制,使用captcha(最重要的部分)和限制API的速度。
1. CAPTCHA :
The best way to ensure that the client making the request to a server is driven by a human-being is a captcha.
确保向服务器发出请求的客户端由人驱动的最佳方式是验证码。
CAPTCHA :
A CAPTCHA (a backronym for "Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge-response test used in computing to determine whether or not the user is human.
CAPTCHA(完全自动化的公开图灵测试,用来区分计算机和人类)是一种用于计算的挑战-响应测试,用来确定用户是否是人类。
You can find plenty of services, or libraries that will create captchas, like Google's reCAPTCHA.
您可以找到大量的服务,或者创建captcha的库,比如谷歌的reCAPTCHA。
2. rate limiting :
-
For a public service, you can rate-limit access by IP : if the same IP makes 10, 100, or even 1000 requests (depending on the purpose of that service), that's a bit suspicious, so you can refuse to serve him, by sending an error status, and logging that unfair behavior to the application logs. So the sysadmin can ban the IP at the firewall level with a tool like fail2ban.
公共服务,您可以通过IP访问限速:如果同一个IP使10,100,甚至1000个请求(取决于服务的目的),这有点可疑,所以你可以拒绝为他服务,通过发送一个错误状态和日志应用程序日志不公平的行为。因此,系统管理员可以使用fail2ban之类的工具在防火墙级别禁止IP。
-
For an authenticated service, well that's the same except you might also want to rate-limit the API based on the IP and on its identity, and might not want to ban an authenticated user...
对于经过验证的服务,这是一样的,除了您可能还想根据IP和其标识限制API的速率,并且可能不想禁止经过验证的用户……
Note that you don't really have to handle the rate-limit yourself, for a public API, meaning that preventing the same IP to make 1000 POST request to the same url in 10 seconds is something that can and should be done by a sysadmin.
注意,对于公共API,您不必亲自处理速率限制,这意味着在10秒内阻止相同的IP向相同的url发出1000个POST请求是系统管理员可以而且应该做的事情。