使用ip为iOS应用程序运行Sinatra ruby​​应用程序有多安全

时间:2017-06-21 15:57:50

标签: ios ruby amazon-ec2 sinatra spotify

我正在构建一个iOS应用程序,我有一个运行Sinatra应用程序的AWS ec2实例,用于刷新和交换Spotify SDK访问令牌,我想知道有关于http://#someIP:4567等网址的任何安全问题应用本身。

我知道使用AWS ec2实例,您可以通过将其设为https来保护它,但是如何以相同的意义保护IP(如果我甚至需要这样做)?

以下是ruby文件中的内容:

require 'sinatra'
require 'net/http'
require 'net/https'
require 'base64'
require 'encrypted_strings'
require 'json'

set :bind, '0.0.0.0'

CLIENT_ID = ENV['TheClientIDGivenBySpotify']
CLIENT_SECRET = ENV['TheClientSecretGivenBySpotify']
ENCRYPTION_SECRET = ENV['cFJLyifeUJUBFWdHzVbykfDmPHtLKLGzViHW9aHGmyTLD8hGXC']
CLIENT_CALLBACK_URL = ENV['appForSpotify://returnAfterLogin']

SPOTIFY_ACCOUNTS_ENDPOINT = URI.parse("https://accounts.spotify.com")

get '/' do
"Working"    
end

post '/swap' do
    AUTH_HEADER = "Basic " + Base64.strict_encode64(CLIENT_ID + ":" + CLIENT_SECRET)

    # This call takes a single POST parameter, "code", which
    # it combines with your client ID, secret and callback
    # URL to get an OAuth token from the Spotify Auth Service,
    # which it will pass back to the caller in a JSON payload.

    auth_code = params[:code]

    http = Net::HTTP.new(SPOTIFY_ACCOUNTS_ENDPOINT.host, SPOTIFY_ACCOUNTS_ENDPOINT.port)
    http.use_ssl = true

    request = Net::HTTP::Post.new("/api/token")

    request.add_field("Authorization", AUTH_HEADER)

    request.form_data = {
        "grant_type" => "authorization_code",
        "redirect_uri" => CLIENT_CALLBACK_URL,
        "code" => auth_code
    }

    response = http.request(request)

    # encrypt the refresh token before forwarding to the client
    if response.code.to_i == 200
        token_data = JSON.parse(response.body)
        refresh_token = token_data["refresh_token"]
        encrypted_token = refresh_token.encrypt(:symmetric, :password => ENCRYPTION_SECRET)
        token_data["refresh_token"] = encrypted_token
        response.body = JSON.dump(token_data)
    end

    status response.code.to_i
    return response.body
end

post '/refresh' do
    AUTH_HEADER = "Basic " + Base64.strict_encode64(CLIENT_ID + ":" + CLIENT_SECRET)

    # Request a new access token using the POST:ed refresh token

    http = Net::HTTP.new(SPOTIFY_ACCOUNTS_ENDPOINT.host, SPOTIFY_ACCOUNTS_ENDPOINT.port)
    http.use_ssl = true

    request = Net::HTTP::Post.new("/api/token")

    request.add_field("Authorization", AUTH_HEADER)

    encrypted_token = params[:refresh_token]
    refresh_token = encrypted_token.decrypt(:symmetric, :password => ENCRYPTION_SECRET)

    request.form_data = {
        "grant_type" => "refresh_token",
        "refresh_token" => refresh_token
    }

    response = http.request(request)

    status response.code.to_i
    return response.body

end

在xcode中,我会发布到http://#someIP:4567/swaphttp://#someIP:4567/refresh

这样做安全吗? 我正确地处理了吗? 通过将请求发送到任何人都可以访问的IP,我是否将自己和使用该应用程序的任何其他人置于可能被盗或被查看的危险之中?

1 个答案:

答案 0 :(得分:0)

HTTPS仅适用于域名。不适用于IP。如果您只使用IP,那么您将面临MITM攻击并且您的所有数据都是纯文本。任何人都可以窃听您的请求。您在交换请求中有一个代码参数,我想代码是凭证是否正确?如果是,最好抓住一些域名并使用aws route53进行设置。然后购买一些廉价的SSL证书,将其与域名相关联。然后在iOS端,启用HTTPS而不是HTTP与您的服务器通信。这与您的Sinatra应用程序无关。

要了解有关SSL / HTTPS的更多信息,您可以查看一些这样的初学者教程:http://www.hongkiat.com/blog/ssl-certs-guide/

相关问题
最新问题