我用RapidAPI编写了API并将其部署在Heroku上。然后我在RapidAPI市场上列出了API,它使用x-rapidapi-proxy-secret头来帮助我使API只能通过RapidAPI访问。
为此,我在API中添加了以下代码:
app = FastAPI()
secret_header = os.environ.get("PROXY_SECRET", None)
@app.middleware("http")
async def check_rapidAPI_proxy_header(request: Request, call_next):
# Check if server knows about valid "secret"
if secret_header:
headers = request.headers
# If the header is missing, or does not match expected value
# Reject the request altogether
print(headers)
if (
"X-RapidAPI-Proxy-Secret" not in headers
or headers["X-RapidAPI-Proxy-Secret"] != secret_header
):
return PlainTextResponse(
"Direct access to the API not allowed", status_code=403
)
response = await call_next(request)
return response当一个请求通过RapidAPI到达我的API时,标头确实包括x-rapidapi-proxy-secret,但随后Heroku将请求重定向到同一个dyno,但这次不包括x-rapidapi-proxy-secret。
下面是Heroku日志,其中显示了重定向和我添加的打印内容,打印内容包含每个请求到达的所有头:
2022-05-13T09:49:58.118798+00:00 heroku[router]: at=info method=GET path="/endpoint?phrase=example_input" host=exampleapi.herokuapp.com request_id=801e146f-6175-491e-8b2f-aae28390e1e6 fwd="176.12.151.31, 176.12.151.31,18.197.117.10" dyno=web.1 connect=0ms service=21ms status=307 bytes=235 protocol=https
2022-05-13T09:49:58.117345+00:00 app[web.1]: Headers({'host': 'exampleapi.herokuapp.com', 'connection': 'close', 'x-real-ip': '176.12.151.31', 'x-forwarded-for': '176.12.151.31, 176.12.151.31, 18.197.117.10', 'accept': '*/*', 'accept-encoding': 'gzip, deflate', 'user-agent': 'python-requests/2.27.1', 'x-rapidapi-host': 'exampleapi.p.rapidapi.com', 'x-forwarded-port': '443', 'x-forwarded-proto': 'https', 'x-mashape-version': '1.2.8', 'x-mashape-proxy-secret': '**censoredkey**', 'x-rapidapi-version': '1.2.8', 'x-rapidapi-proxy-secret': '**censoredkey**', 'x-rapidapi-tenant-name': 'p', 'x-mashape-user': 'myusername', 'x-mashape-subscription': 'BASIC', 'x-rapidapi-user': 'myusername ', 'x-rapidapi-subscription': 'BASIC', 'x-request-id': '**censored**', 'via': '1.1 vegur', 'connect-time': '0', 'x-request-start': '1652435398096', 'total-route-time': '0'})
2022-05-13T09:49:58.117942+00:00 app[web.1]: 176.12.151.31:0 - "GET /endpoint?phrase=input" 307
2022-05-13T09:49:59.164640+00:00 heroku[router]: at=info method=GET path="/endpoint/?phrase=input" host=exampleapi.herokuapp.com request_id=8a88d8f6-ebfb-4da7-9d53-c6b7d8d3072c fwd="176.12.151.31" dyno=web.1 connect=0ms service=6ms status=403 bytes=196 protocol=https
2022-05-13T09:49:59.163686+00:00 app[web.1]: Headers({'host': 'exampleapi.herokuapp.com', 'connection': 'close', 'user-agent': 'python-requests/2.27.1', 'accept-encoding': 'gzip, deflate', 'accept': '*/*', 'x-rapidapi-host': 'exampleapi.p.rapidapi.com', 'x-rapidapi-key': '**censored**', 'x-request-id': '8a88d8f6-ebfb-4da7-9d53-c6b7d8d3072c', 'x-forwarded-for': '176.12.151.31', 'x-forwarded-proto': 'https', 'x-forwarded-port': '443', 'via': '1.1 vegur', 'connect-time': '0', 'x-request-start': '1652435399157', 'total-route-time': '0'})
2022-05-13T09:49:59.163820+00:00 app[web.1]: 176.12.151.31:0 - "GET /endpoint/?phrase=input HTTP/1.1" 403该请求将得到以下响应
bash-3.2$ python3 tests/test_rapid_api.py
Direct access to the API not allowed如果我理解正确的话,初始请求到达负载平衡器,然后负载平衡器将请求重定向到工作机dyno,但不包括x-rapidapi-proxy-secret头,这就是为什么工作机dyno拒绝请求的原因。
有没有办法让Heroku也转发这个头文件?或者我应该用另一种方法来检查我的API中的x-rapidapi-proxy-secret?
1条答案
按热度按时间wgeznvg71#
我不知道为什么,但查看标头时,我发现具有X-Rapidapi-Proxy-Secret值的密钥与以下密钥一起返回X-Mashape-Proxy-Secret