Authentication
Last update:2024-04-01 15:16:13
1 Feature Intro
1.1 Brief Inrtoduction
Verifies the credibility of the request with dynamic token, a cloud-based verification method based on the self-developed authentication algorithm, to intercept the request from imposters.
2 Feature Detail
2.1 Authentication
It is a security risk to directly expose the API assets to the public Internet. Therefore, you should divide the permissions of the API and perform an authentication on the API requests. If the authentication is passed, the API request is allowed to be processed. Otherwise, the API request will be rejected.
API Shield provide the authenticaiton feature for you protect your sensitive API assets, which token based authenticaiton and its algorithm is developed by CDNetworks.
2.2 How It Works
Once you enable the authentication,API Shield will provide the authentication key for you. The device of the end user should generate the authentication value based on the authentication key and the given aigorithm.
When the end user request to the API assets with authtication value, API Shield will verify whether the value is correct or not. If not, the request will be blocked.
The code example supports three development languages: Python, Java, and Shell. The complete code example is as follows:
Configuration:
1. Pending authentication API: http://your.domain/api
2. Signature Algorithm:HmacSHA256
3. Key:secret_key_str
4. Authentication:HEADER.
Authentication Header key:X_Sam_Auth
Code Example:
1.python
import binascii
import hmac
import hashlib
import time
import requests
secret_key_str = "secret_key_str"
tmp_timestamp = str(int(time.time()))
tmp_binary = hmac.new(secret_key_str.encode("utf-8"), tmp_timestamp.encode("utf-8"), digestmod=hashlib.sha256).digest()
// Convert encrypted byte array to hexadecimal string
tmp_hex = binascii.hexlify(tmp_binary).decode("utf-8")
headers = {
"X-Date": tmp_timestamp,
"X_Sam_Auth": tmp_hex
}
url = "http://your.domain/api"
resp = requests.get(url, headers=headers)
2.java
import cn.hutool.core.util.HexUtil;
import cn.hutool.http.HttpResponse;
import cn.hutool.http.HttpUtil;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
public static void main(String[] args) throws Exception{
String key = "secret_key_str";
String timestamp = String.valueOf(System.currentTimeMillis()/1000);
Mac sha256 = Mac.getInstance("HmacSHA256");
SecretKeySpec secretKeySpec = new SecretKeySpec(key.getBytes("UTF-8"),"HmacSHA256");
sha256.init(secretKeySpec);
// Convert encrypted byte array to hexadecimal string
String hex = HexUtil.encodeHexStr(sha256.doFinal(timestamp.getBytes("UTF-8")));
String url = "http://your.domain/api";
HttpResponse response = HttpUtil.createGet(url).header("X-Date", timestamp)
.header("X_Sam_Auth", hex).execute();
}
3.shell
#!/bin/bash
secret_key_str="secret_key_str"
current=`date "+%Y-%m-%d %H:%M:%S"`
tmp_timestamp=`date -d "$current" +%s`
tmp_hex=`echo -en "$tmp_timestamp" | openssl dgst -sha256 -hmac $secret_key_str -binary | hexdump -ve '/1 "%02x"'`
curl -i --url "http://your.domain/api" \
-X "GET" \
-H "X-Date: $tmp_timestamp" \
-H "X_Sam_Auth: $tmp_hex"