The WEB application is open, and the front-end code of the WEB is also open. The interface that interacts with the back end is bare if it is not specially processed (encrypted /token). As long as you know the API address, you can obtain the application data at will. In this way, application data is easy to be crawled or malicious theft brush, typical SMS is malicious theft brush.

The SMS interface of the company’s financial products is a bare interface, so as long as the mobile phone number can be swiped arbitrarily. Of course, there is a request restriction based on the mobile phone number and IP address, but it is not enough. After that, the Token was added for a certain number of requests within a certain period of time. After observation, there was basically no sign of brushing, indicating that the new mechanism still played a great role. Of course, this mechanism is not only used to prevent SMS theft, but also can be used to protect any bare interface.

The principle is very simple, that is, when a Web page request is made, the back-end can inject the token into the page according to a certain algorithm, and then the front-end can obtain the token according to the corresponding rules. When the interface data is requested, the token can be verified by the back-end, and the data can be normally requested after the verification. If it is a Native APP, it can request the interface to obtain the token through encryption. The simplest and direct way is that the Native APP client uses a string + time stamp (obtained from the back end) for encryption, and then requests the back end interface, which decrypts the data and compares the time stamps. The token is considered valid for a certain period of time (timestamp verification is added to avoid interception of encrypted messages).

Of course, web applications are public, and all source code is theoretically available. The way the backend injects tokens into web pages can also be cracked. Therefore, the form of backend token injection can be customized, such as injecting into requests, or implementing a set of algorithms to make cracking more difficult.

This mechanism is organized into an independent NPM package access-token-API, which is convenient for reuse of multiple projects.

Use examples:

NPM install access-token-api //server(nodejs) var accessTokenApi = require('access-token-api') Var TokenApi = new accessTokenApi({webTokenVarName:'encrypt_api_tokenStr',// The default encrypt_api_tokenStr}); Window [webTokenVarName] // The token is checked when the interface is requestedCopy the code

The main interface

Generate token API Issue Verify token API verify Number of valid token counts minus one API Decline Server injects the token into THE Web front-end API webInject

Customize the way that the backend injects tokens into web front-end pages, and customize webInject parameters (functions) when initializing modules

var TokenApi = new accessTokenApi({ webInject:function(html,token,callback){ var htmlEndIndex = html.indexOf(''); var tokenScript = ''; var prevHtml = html.substring(0,htmlEndIndex); var nextHtml = html.substr(htmlEndIndex); prevHtml += tokenScript; prevHtml += nextHtml; callback(null,prevHtml); }});Copy the code

The project…”With examples of using the Express and Sails frameworks to get a lop-start.