Nowadays, various API interfaces emerge in an endless stream. There are many aspects to consider whether an API is good or not. Among them, “security” is the most basic and important feature of an API interface. Especially for top-up payment API interface of a class, such as more credit API interface, flow top-up API interface, game qq COINS top-up, such as water and electricity coal payment interface, security or not directly affect the property of the individuals or enterprises, so do the API interface of security issues is particularly important, this article we will talk about the safety of the API interface.
The so-called interface, the server side directly according to the user_id to do the corresponding member operations, this is a very dangerous interface processing, is equivalent to the current member system completely exposed, as long as the other party to change the user_id can operate all member corresponding interface.
Generally, on the PC side, we use encrypted cookies to identify members and maintain sessions. But cookies are local storage in the browser. APP side is not available, so we have to identify members by token parameter; What to do with this token?
Before doing interface encryption, we first look at the following schemes:
Solution a:
Agree with APP developers on the specific COMBINATION of MD5 algorithm, and then compare the two ends, if the same allow, not the same deny; However, this is also not secure, if the APP is decomcompiled, the algorithm of these conventions will be exposed, especially in Android apps, with the algorithm, you can completely simulate the interface request to pass the validation.
Scheme 2:
When a member logs in, he requests the login interface, and then the server returns a token to the client. The generated rule of the token is the website public key + current UID + current timestamp + a random number double encryption. According to the requirements, the token is put into the cache and automatically expires after a period of time. Put it in a database (if you want to put it in a database, create a separate table that records when the user logged in and logged out) and change it when the user logged out to make sure that the token is only useful when the user logged out.
To ensure security, users should be guaranteed to automatically exit within a period of time; This scheme with Linux and database permission management can prevent both external and internal.
Plan 3
Through the symmetric encryption algorithm, the encryption algorithm for uid+ website public key time encryption, available within a certain time. When the member logs in successfully, the server encrypts the ID and returns it to the client. When the client requests the interface with this parameter, the server authenticates through decryption.
But that’s not safe either. Because, do not prevent inside, I heard that the ctrip downtime is because of the internal personnel leave the malicious operation. If the malicious internal personnel know the corresponding algorithm rules, they can operate the related members through the interface even without database access.
Plan 4:
The password of the database membership table is accompanied by a double-encrypted MD5 value. When the user logs in, I return the corresponding UID and password of the member. Although the password is in plain text, others cannot log in if they know it. After all, it is encrypted.
However, the idea is too Yang Too simple. Although the person who captured the packet cannot log in to the member through the ciphertext password, once the token is known, unless the user changes the password, he can still use the token to operate the relevant interface of the member.
In addition to the above, it is best to use JSON as a data format because JSON is cross-platform. When generating JSON, pay attention to two JSON formats: objects (dictionaries) and arrays; In the mobile development language, foreach can only iterate over groups of numbers instead of objects like PHP. Their operations on objects are generally to get key values by key names. Success or failure. The interface must provide explicit data status information and cannot return NULL, which will crash on IOS.
Of course, there are more than these solutions to THE PROBLEM of API interface security. Some open source projects and landing solutions introduced by bloggers are worth learning and exploring. Only by thinking more and summarizing in practical practice can the DEVELOPED API become more powerful.
The above content hopes to help you, more PHP factory PDF, PHP advanced architecture video materials, PHP wonderful good article can be searched on wechat: PHP open source community
2021 Jinsanyin four big factory interview real questions collection, must see!
Four years of PHP technical articles collation collection – PHP framework
A collection of four years’ worth of PHP technical articles – Microservices Architecture
Distributed Architecture is a four-year collection of PHP technical articles
Four years of PHP technical essays – High Concurrency scenarios
Four years of elite PHP technical article collation collection – database