3

因此,我通读了 Apple 提供给我们的示例(CloudKit 目录),我注意到每次您想要编写或阅读时,都需要将 API 令牌放入脚本中。

现在 Javascript 是基于客户端的,这意味着每个用户都可以读取 API 令牌并可以读取和写入我的容器?!

此代码将位于其中一个 Javascript 文件中

CloudKit.configure({
locale: 'en-us',

containers: [{

// Change this to a container identifier you own.
containerIdentifier: 'com.example.apple-samplecode.cloudkit-catalog',

apiTokenAuth: {
  // And generate a web token through CloudKit Dashboard.
  apiToken: '<insert your token here>',

  persist: true, // Sets a cookie.

  signInButton: {
    id: 'apple-sign-in-button',
    theme: 'black' // Other options: 'white', 'white-with-outline'.
  },

  signOutButton: {
    id: 'apple-sign-out-button',
    theme: 'black'
  }
},

environment: 'development'
}]
});

现在的问题是:我是否遗漏了什么,或者是用户通过 Node 进行服务器到服务器通信的解决方案?

4

2 回答 2

5

Here's my understanding:

API Tokens are not really meant to be private, and can't be since they're designed to be used in client-side JavaScript. Even if you tried to obfuscate the token in your code, it would be easily discovered by examining the URLs that are called during the sign in process.

The important thing to understand is that they can't do much by themselves. They allow a user to sign in to your container, and then the signed in user can read and write their own data—the same things they'd have access to if they signed in to iCloud on their iPhone or Mac and used your app there.

There's not much of a security concern because even if they take your token and write their own JavaScript, they're only messing with their own data. That said, you can use the "Allowed Origins" option to make this harder to do. (I put it that way because they could conceivably use a browser extension or something to alter the JS on your site. In general it seems wise to treat a user's CloudKit data as untrusted, even when it's coming from the API.)

Server to Server Keys are very different, and have a private key that is of course meant to be private. In that scenario anyone with the private key has read and write access to your public database. As the name implies, this is not something you'd use directly from JavaScript—you'd write your own server-side code that contacts the CloudKit API directly.

Unfortunately, while Apple has a nice red warning when you create a private Server to Server key, they don't seem to offer any security guidance on API Tokens. I'm 99% confident that this is because it's not a concern, and working on getting confirmation for that last 1%.

于 2018-05-11T18:42:53.810 回答
1

init.js 在客户端运行,在浏览器中,您可以很容易地从代码中注意到:

<script>
        window.addEventListener('cloudkitloaded',CKCatalog.init);
</script>

这将向用户披露 API 令牌……
但您始终可以通过以下方式降低 API 令牌危险使用的风险:

  • 将 API 令牌的“允许的来源”设置为仅您站点的域;
  • 仅将“登录回调”设置为您的 URL;
  • ETC

简而言之,在客户端运行会泄露您的 API 令牌,但如果您采取措施防止令牌被危险使用,仍然可以。

于 2017-07-25T03:52:06.457 回答