使用AJAX和PHP对第三方API进行安全的API调用
我要进行GET,POST和& PUT调用第三方API,并通过AJAX在客户端显示响应. API调用需要一个令牌,但是我需要将该令牌保密/不在客户端JS代码中.
I want to make GET, POST & PUT calls to a 3rd party API and display the response on the client side via AJAX. The API calls require a token, but I need to keep that token secret / not in the client-side JS code.
我已经看到一些此类建议在中间包含服务器端代码,由AJAX查询,并处理实际的API调用.我可以直接使用AJAX的API,但是不确定如何使用两步过程来向用户隐藏令牌.我的谷歌搜索尚未找到实现此目标的最佳实践方法的任何指示.
I've seen a few suggestions like this one to have server-side code in the middle that would be queried by the AJAX, and would handle the actual API call. I'm OK working directly with the API from AJAX, but I'm unsure of how to work with a two-step process in order to hide the token from users. My Googling hasn't turned up any pointers on a best-practice method of achieving this.
在我的情况下,中间的服务器将运行PHP,因此我认为cURL/Guzzle是使用令牌进行API调用的直接选择. API响应将为JSON.
In my case the server in the middle would be running PHP, so I assume cURL / Guzzle is the straightforward option to make the API calls with the token. The API responses will be JSON.
任何人都可以给我一个粗略的示例,说明如何使用jQuery.ajax(),PHP,第三方API来实现此目标吗?
Can anyone please give me a rough example of how this would be achieved using jQuery.ajax(), to PHP, to the 3rd party API?
或者,如果有任何质量资源详细介绍此方法,我将感谢您的链接.同样,如果这是一种可怕的方法,那就知道为什么会很好.
Alternatively if there are any quality resources that cover this method in detail, I'd appreciate a link. Equally, if this is a terrible method to use it'd be great to know why.
修改
可能值得一提的是,我希望在部署此应用程序时具有尽可能多的灵活性;它将在具有唯一配置的多个站点上使用,因此理想情况下可以在不更改服务器或托管帐户配置的情况下实现.
Edit
Probably worth noting that I want as much flexibility in deploying this as possible; it would be used on multiple sites with unique configurations, so ideally this would be implemented without altering server or hosting account configuration.
没有示例代码很难.但是据我了解,您可以按照以下步骤进行操作,
It is bit hard without sample code. But As per I understood you can follow this,
AJAX CALL
AJAX CALL
$.ajax({
type: "POST",
data: {YOU DATA},
url: "yourUrl/anyFile.php",
success: function(data){
// do what you need to
}
});
在PHP
In PHP
收集您发布的数据并处理API
Collect your posted data and handle API, Something like this
$data = $_POST['data'];
// lets say your data something like this
$data =array("line1" => "line1", "line2"=>"line1", "line3" =>"line1");
$api = new Api();
$api->PostMyData($data );
示例API类
class Api
{
const apiUrl = "https://YourURL/ ";
const targetEndPoint = self::apiUrl. "someOtherPartOFurl/";
const key = "someKey819f053bb08b795343e0b2ebc75fb66f";
const secret ="someSecretef8725578667351c9048162810c65d17";
private $autho="";
public function PostMyData($data){
$createOrder = $this->callApi("POST", self::targetEndPoint, $data, true);
return $createOrder;
}
private function callApi($method, $url, $data=null, $authoRequire = false){
$curl = curl_init();
switch ($method)
{
case "POST":
curl_setopt($curl, CURLOPT_POST, 1);
if ($data)
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($data));
break;
case "PUT":
curl_setopt($curl, CURLOPT_PUT, 1);
break;
default:
if ($data)
$url = sprintf("%s?%s", $url, http_build_query($data));
}
if($authoRequire){
$this->autho = self::key.":".self::secret;
// Optional Authentication:
curl_setopt($curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($curl, CURLOPT_USERPWD, $this->autho);
}
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($curl);
curl_close($curl);
return $result;
}
}