Gig*_*ink 5 security token firebase firebase-app-check
尽管我完全了解 AppCheck 的用法,但我仍然想知道它如何帮助防止向 API 端点发送垃圾邮件请求。在黑客使用 OpenBullet 或任何黑客工具每分钟向特定端点发送数千个请求的情况下(例如,在社交应用程序中创建数千个虚假个人资料的注册端点):
once the hacker got their hand on the appcheck token from the device, can't they simply attach it to the request's header, and spam all they want the api endpoint that we secured from our backend by checking appcheck token? I mean, as long as the TTL didn't expire, I guess all their requests will pass the check thus they could use their hacker tool and pretend to come from the untempered app? Or am I missing something?
I guess a solution would be to: 1- forceRefresh the appcheck token on each fetch request from the mobile app 2- expire the received appcheck token programmatically after successful verification from the backend, so that further request would need a new one that can only be generated from the app, thus making it harder for the hacker?
Any help is appreciated! :)
| 归档时间: |
|
| 查看次数: |
482 次 |
| 最近记录: |