前言
基本上要保護API不被其他有心人士存取有很多種方法, 以下介紹兩種最常見的保護方式1. 檢查Request Header有沒有特定的API Key
Client跟Server在溝通時可以協調好Request Header裡應該要出現什麼特定的API Key字串才能證明是合法的請求
實作方法 - 使用Message Handler
Step 1. (Optional) 安裝必要套件
Microsoft.AspNet.WebApi.WebHost
Microsoft.AspNet.WebApi.Core
Microsoft.AspNet.WebApi.Client
如果你的專案是 ASP.NET Web Application (.NET Framework)這種類型的話, 請務必安裝以上的套件
Step 2. 實作Message Handler來檢查每個進來的請求
在專案中新增一個目錄Handlers
接下來, 在這個目錄中新增一個APIKeyMessageHandler.cs 如下
<原始碼>
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public class APIKeyMessageHandler : DelegatingHandler | |
| { | |
| private const string APIKey = "ZG95b3Vrbm93dGhhdGFjZXJpc3RoZWJlc3Rjb21wYW55aW50aGV3b3JsZGJ5YW5keQ=="; | |
| protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) | |
| { | |
| bool validKey = false; | |
| IEnumerable<string> requestHeaders; | |
| var checkApiKeyExists = request.Headers.TryGetValues("MyAPIKey", out requestHeaders); | |
| if (checkApiKeyExists) | |
| { | |
| if (requestHeaders.FirstOrDefault().Equals(APIKey)) | |
| { | |
| validKey = true; | |
| } | |
| } | |
| if (!validKey) | |
| { | |
| return new HttpResponseMessage(HttpStatusCode.Forbidden) | |
| { | |
| Content = new StringContent(JsonConvert.SerializeObject(new { message = "Invalid API Key" })), | |
| ReasonPhrase = "Invalid API Key" | |
| }; | |
| } | |
| var response = await base.SendAsync(request, cancellationToken); | |
| return response; | |
| } | |
| } |
這個類別可以用來過濾請求,
當請求Header內沒有指定的字串時會被拒絕,
Step 3. 註冊剛剛自訂義的Message Handler
修改Global.asax
<原始碼>
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public class MvcApplication : System.Web.HttpApplication | |
| { | |
| protected void Application_Start() | |
| { | |
| AreaRegistration.RegisterAllAreas(); | |
| FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters); | |
| GlobalConfiguration.Configure(WebApiConfig.Register); | |
| GlobalConfiguration.Configuration.MessageHandlers.Add(new APIKeyMessageHandler()); | |
| RouteConfig.RegisterRoutes(RouteTable.Routes); | |
| BundleConfig.RegisterBundles(BundleTable.Bundles); | |
| } | |
| } |
加入以下兩行
GlobalConfiguration.Configure(WebApiConfig.Register);
GlobalConfiguration.Configuration.MessageHandlers.Add(new APIKeyMessageHandler());
Step 4. 新增一個API Controller "MyApiController" 來處理請求
<原始碼>
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public class MyApiController : ApiController | |
| { | |
| [HttpGet] | |
| [Route("api/myapi/res")] | |
| public IHttpActionResult GetResource1() | |
| { | |
| return Ok("Hello Andy: welcome to my site "); | |
| } | |
| } |
測試
如果請求裡面沒有帶APIKey, 最後會得到 {"message": "Invalid API Key"} 的結果
完整原始碼在這
歡迎下載
方法二: 使用JWT來驗證身分
TBD
留言
張貼留言