在前端调用 WooCommerce、WordPress 和 CoCart 端点是否安全?我需要你的意见
问题
我有一个关于安全的问题。我正在 Flutter 中构建一个移动网上商店。在前端中进行这些 API 调用是否不好?例如,我应该在 Node 中为其创建一个单独的后端吗?
我还了解到您可以使用 PHP 在 WordPress 中“创建”自己的端点。那又怎样呢?这是否会使其更安全?
我使用哪些端点?
现有的 WooCommerce API 用于在 WooCommerce API 上检索产品、获取类别以及创建订单。在CoCart API上,您可以检索购物车、添加到购物车、删除购物车等...
对于Mollie支付API,我认为最好做一个后端。
我的看法是,
我认为在前端调用这些端点是可以的。我已经看到 WooCommerce 的 Flutter 包可以调用这些端点。是的,我确实在标头中发送了基本身份验证......所以我不确定这有多“危险”。
但在另一边。 “黑客”能做什么?他们可以看到所有产品,我想这很好。我不确定他们是否可以创建订单...他们至少不能偷钱:)
参考代码
作为参考,这里有一段调用端点时的代码:
Future<Product> getProductById(int productId) async {
String basicAuth =
'Basic ' + base64Encode(utf8.encode('$username:$password'));
print(basicAuth);
var response = await http.get(
Uri.parse(
'https://websitename/wp-json/wc/v3/products/${productId}'),
headers: <String, String>{'Authorization': basicAuth});
if (response.statusCode == 200) {
return Product.fromJson(jsonDecode(response.body));
} else {
throw Exception('Failed');
}
}
让我知道你的意见!
Question
I got a question about security. I am building a mobile webshop in Flutter. Is it bad to make those API calls in the frontend? Should I make a separate backend for it in Node for example?
I have also read that you can 'create' your own endpoints in WordPress with PHP. What about that? Does that make it any safer or not?
What endpoints do I use?
There is an existing WooCommerce API to retrieve products, get categories, and create orders on the WooCommerce API. On the CoCart API, you can retrieve the cart, add to the cart, delete the cart, etc...
For the Mollie payment APIs, I think it is better to make a backend.
My take on it
I think it is fine to call those endpoints in the front end. I have seen Flutter packages for WooCommerce to call those endpoints. Yes, I do send the basic auth in the headers... so I am not sure how 'dangerous' that is.
But on the other side. What can the 'hacker' do? They can see all the products, that is fine I guess. I am not sure if they can create orders... They cannot steal money at least :)
Reference code
For reference, here is a piece of code when calling an endpoint:
Future<Product> getProductById(int productId) async {
String basicAuth =
'Basic ' + base64Encode(utf8.encode('$username:$password'));
print(basicAuth);
var response = await http.get(
Uri.parse(
'https://websitename/wp-json/wc/v3/products/${productId}'),
headers: <String, String>{'Authorization': basicAuth});
if (response.statusCode == 200) {
return Product.fromJson(jsonDecode(response.body));
} else {
throw Exception('Failed');
}
}
Let me know your opinion!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
在谈论安全性时,主要问题是网络请求的内容。如果您的用户名&上面代码中的密码是需要保密的,不能在客户端。
如果您将代码发送给用户,用户会收到它并可以在跟踪网络请求时检查发生了什么。
您始终可以跳过 UI、调试网络请求并获取通过该请求发送的所有详细信息,并使用 cURL 或其他任何内容发送这些请求。然而,客户端必须以某种方式进行身份验证,这是“不公开”URL 中的一个广泛主题,您只需要有确切的“随机 ID”即可访问资源(例如,youtube 或许多文件共享服务将其用作“不公开”链接,这意味着这不会出现在搜索结果中,但如果您有确切的链接,您将进入 oAuth2 的资源,您可以了解有关 此处 和
您也可以查看这篇文章,其中介绍了 基于令牌的身份验证。
When talking about security main question is what goes over the network request. If your username & password from code above is something to keep secret, that can't be on client side.
If you sent code to user, user got it and can check what's happening while tracing network requests.
You can always skip the UI, debug network request and take all the details that were sent over that request and send those requests with cURL or anything else. Yet client must authenticate somehow, and that's a wide topic from "unlisted" URLs where you just need to have exact "random id" to get to the resource (e.g. youtube's or many file sharing services use that as "unlisted" link, which means this won't be in search results but if you have exact link, you will get into the resource) to oAuth2, which you can learn more about here and
you could check this post too which covers several methods of token-based authentication.