来自客户端的Ajax调用隐藏API密钥吗?

时间:2018-10-18 09:17:40

标签: ajax

首先,我找不到我的问题的答案。

问题是当我打电话时,我必须在标头中添加api密钥。我正在使用Ajax,但我不希望其他人从devtool中看到api密钥。

我的代码如下:

    $(document).ready(function(){
  $("#login").click(function(e){
    e.preventDefault();
      $.ajax({
        type:"POST",
        url:'/resource/auth/login',
        data: {
              username: username.value,
              password:password.value
            },

        headers: { "ApiKey": "mykey" },
        success: function(){
          alert("Logged in");

有没有办法隐藏“ mykey”的值,如果我没有在标题中提供密钥,api调用将无法工作

谢谢!

1 个答案:

答案 0 :(得分:0)

希望我能为您工作,以下代码供您查看:

@php
$secret_key = hash('sha256', 'some_secret_key');
$secret_iv = substr(hash('sha256', 'some_secret_iv'),0,16);
@endphp

$(document).ready(function(){
  $("#login").click(function(e){
   e.preventDefault();
   $.ajax({
    type:"POST",
    url:'/resource/auth/login',
    data: {
          _token:{{csrf_token()}}
          username: "{{openssl_encrypt('your_username','AES-256-CBC', $secret_key, 0, $secret_iv)}}",
          password: "{{openssl_encrypt('your_password','AES-256-CBC', $secret_key, 0, $secret_iv)}}"
        },

    headers: { "ApiKey": "{{openssl_encrypt('your_apikey','AES-256-CBC', $secret_key, 0, $secret_iv)}}" },
    success: function(resp){
      console.log(resp);
      },
    error: function(err){ 
      console.log(err);
     }
}
);

在控制器的功能中,您可以解密的是获取用户名和密码:

public function login(Request $request){
  $secret_key = hash('sha256', 'some_secret_key');
  $secret_iv = substr(hash('sha256', 'some_secret_iv'),0,16); 

  $username = openssl_decrypt($request->input('username'), 'AES-256-CBC', $secret_key, 0, $secret_iv);
  $password = openssl_decrypt($request->input('password'), 'AES-256-CBC', $secret_key, 0, $secret_iv);
  $apikey = openssl_decrypt($request->header('ApiKey'), 'AES-256-CBC', $secret_key, 0, $secret_iv)

  echo 'Hye! your username is ' $username. ',your password is '. $password .'and your api key is '.$apikey;

  }

这里的openssl_encrypt和openssl_decrypt是php函数,您可以在文档中阅读它们: openssl_encrypt:

openssl_decrypt:

确保您的secret_key和secret_iv双方应该相同。