AI应用的API安全：从认证到授权的完整指南

AI应用的API安全：从认证到授权的完整指南

前言

我们的 API 曾经被恶意调用，导致服务不可用。后来我们建立了完整的 API 安全体系。

今天，分享我们是如何保护 API 的。

一、API 安全威胁

1.1 威胁类型

class APIThreats:
    THREATS = {
        "authentication": {"description": "认证绕过", "severity": "high"},
        "authorization": {"description": "越权访问", "severity": "high"},
        "rate_limiting": {"description": "API 滥用", "severity": "medium"},
        "injection": {"description": "注入攻击", "severity": "high"}
    }

1.2 攻击向量

class AttackVectors:
    VECTORS = {
        "brute_force": {"description": "暴力破解"},
        "credential_stuffing": {"description": "凭证填充"},
        "man_in_the_middle": {"description": "中间人攻击"},
        "cross_site_request_forgery": {"description": "CSRF"}
    }

二、认证机制

2.1 JWT 认证

class JWTAuthentication:
    def authenticate(self, token: str) -> dict:
        """JWT 认证"""
        import jwt
        
        try:
            payload = jwt.decode(token, "secret", algorithms=["HS256"])
            return {"user_id": payload["sub"], "valid": True}
        except jwt.InvalidTokenError:
            return {"valid": False}

2.2 API Key 认证

class APIKeyAuthentication:
    def authenticate(self, api_key: str) -> dict:
        """API Key 认证"""
        valid_keys = ["valid_key_1", "valid_key_2"]
        return {"valid": api_key in valid_keys}

三、授权机制

3.1 RBAC

class RBACAuthorization:
    def authorize(self, user_id: str, resource: str, action: str) -> bool:
        """基于角色的访问控制"""
        roles = {
            "admin": {"permissions": ["*"]},
            "user": {"permissions": ["read", "create"]}
        }
        
        role = self._get_role(user_id)
        return action in roles.get(role, {}).get("permissions", [])

3.2 ABAC

class ABACAuthorization:
    def authorize(self, user: dict, resource: dict, action: str) -> bool:
        """基于属性的访问控制"""
        return user["department"] == resource["department"]

四、安全防护

4.1 限流

class RateLimiting:
    def __init__(self):
        self.limits = {"standard": 100, "premium": 1000}
    
    def check(self, user_id: str, plan: str) -> bool:
        """检查限流"""
        current = self._get_request_count(user_id)
        return current < self.limits.get(plan, 100)

4.2 输入验证

class InputValidation:
    def validate(self, input_data: dict) -> dict:
        """验证输入"""
        checks = [
            {"name": "required_fields", "passed": "email" in input_data},
            {"name": "email_format", "passed": self._is_valid_email(input_data.get("email"))}
        ]
        
        return {"valid": all(c["passed"] for c in checks), "checks": checks}

五、安全监控

5.1 异常检测

class AnomalyDetection:
    def detect(self, request: dict) -> dict:
        """检测异常"""
        anomalies = []
        
        if request["frequency"] > 100:
            anomalies.append("请求频率异常")
        
        return {"anomalies": anomalies, "risk_level": "high" if anomalies else "low"}

5.2 审计日志

class AuditLogging:
    def log(self, event: dict) -> dict:
        """记录审计日志"""
        return {
            "event": event["type"],
            "user_id": event["user_id"],
            "timestamp": datetime.now().isoformat(),
            "details": event["details"]
        }

六、最佳实践

6.1 API 安全原则

• ✅ 最小权限：只授予必要的权限
• ✅ 加密传输：使用 HTTPS
• ✅ 安全头：配置安全的 HTTP 头
• ✅ 定期轮换：定期更换密钥和凭证

6.2 常见误区

• ❌ 硬编码密钥：把密钥写在代码里
• ❌ 弱密码策略：允许弱密码
• ❌ 缺少监控：不监控 API 使用情况
• ❌ 忽视更新：不更新依赖和补丁

七、总结

API 安全是保护数据和服务的关键。关键在于：

1. 认证授权：确保只有合法用户能访问
2. 输入验证：防止恶意输入
3. 限流防护：防止 API 滥用
4. 持续监控：及时发现异常

记住：API 安全不是一次性工作，是持续的过程。