我正在使用API beta为生产网站开发ghost博客,并使用查看源我可以看到如下:
ghost.init({
clientId: "ghost-frontend",
clientSecret: "xxxxxxxxxxx"
});
在html head部分,这是对的吗?是不是应该隐藏的秘密?虽然显然是客户端意味着它应该在客户端.
最佳答案 根据Ghost文档,这些凭据用于客户端身份验证.客户端身份验证仅允许访问公共Ghost API,这基本上是您的读者当前可以在您的虚拟博客上访问而无需身份验证的任何内容.因此,公开这些凭证应该不是问题,因为它们只能用于访问公共信息.此外,API请求当前必须来自config.js文件中指定的域.
Please be aware that as of current Ghost versions, Client Authentication is only available as part of the Public API Beta, and only provides access to read public data.
The ‘Public’ API essentially reflects the behaviour of a blog – it provides
read access to any data that a user/reader of a blog would be able to see.For the time being Client Authentication is restricted to the domain specified in your config.js file, meaning that requests that come from a theme will work, but requests from another site will not.
这就是为什么他们这样做:
Ghost’s JSON API has the same abilities as the admin panel (in fact the admin panel uses the API) – so it will eventually be possible to read and write any data you have permissions for using the API. Some data in a blog is inherently public: your published posts, tags, and active users (minus their email and password hash). For this first release, we’re only providing access to read public data.
Additionally, for the first release, we’re only making it possible to read that data from within the theme / frontend of your blog. This is because the ‘client’ authentication that we’re providing only permits requests from internally known domains. All of this will be expanded upon in later releases where there will be a UI to create clients for different kinds of access.
