AngularJS身份验证和基于XSRF令牌

I am new to Angular and I am developing an application to learn more.

我是Angular的新手,我正在开发一个应用程序以了解更多信息。

I want to build Authentication. Can some one comment if the this is a good approach?

我想构建身份验证。如果这是一个好方法,有人会评论吗?

I am thinking in use a similar approach as used with XSRF with RestfullWS.

我正在考虑使用与RestfullWS的XSRF一样的方法。

1) After authentication create a token in a Cookie based userid + sessionId + salt and encript this string with SHA256

1)认证后,在基于Cookie的用户ID + sessionId + salt中创建一个令牌,并使用SHA256对该字符串进行encript

2) What info do we need to pass to the client application?

2)我们需要将哪些信息传递给客户端应用程序?

3) Pass the token created on 1) to server each time we navigate to a page that need authentication

3)每次导航到需要身份验证的页面时,将1)上创建的令牌传递给服务器

4) On client side check if user is authenticated.

4)在客户端检查用户是否经过身份验证。

My problem is how can we check on the client side safely if the user is authenticated? Is not true that if we save that information in the javascript, that that info is compromised? How to develop a safe "isAuthenticated" javascrip function? Should the function get the response from the server that knows how to validate the token?

我的问题是如果用户通过身份验证,我们如何安全地检查客户端?如果我们在javascript中保存该信息,该信息是否已被泄露,这是不是真的?如何开发一个安全的“isAuthenticated”javascrip功能?该函数是否应该从知道如何验证令牌的服务器获得响应?

Is this a good approach, or there is better ways to do it?

这是一个好方法,还是有更好的方法来做到这一点?

Thank you very much.

非常感谢你。

1 个解决方案

#1

You must always assume that the client is, or can be, compromised. So you cannot know for sure on the client side that the user is 100% authenticated, absolutely, for sure, without a doubt.

您必须始终假设客户端已经或可能遭到入侵。因此,您无法确定客户端上的用户是100%经过身份验证的,当然,毫无疑问。

But that almost never is as important as we make it out to be. On the client side we are generally displaying the user interface, not actually processing a credit card transaction. We do not have user A send user B an e-mail message 100% in the client - we send it to the server, and it handles the rest.

但这几乎从来没有像我们做到的那样重要。在客户端,我们通常显示用户界面,而不是实际处理信用卡交易。我们没有用户A在客户端向用户B发送100%的电子邮件消息 - 我们将其发送到服务器,然后处理其余的。

Therefore, what you really want is:

因此,你真正想要的是:

How do I know on the client that I should ACT like I'm logged in? That is, when do I stop showing the login form and start showing the inbox?
我怎么知道客户端我应该像我登录一样ACT?也就是说,我什么时候停止显示登录表单并开始显示收件箱?
How do I know on the server that this client is really who s/he says s/he is?
我如何在服务器上知道这个客户是谁/他说他/她是谁?

The first is easy. Drawing an empty inbox is useless. Use the presence of the cookie to enable this behavior, and so what if it gets "hacked"? A user is able to to see an empty inbox? This has no value. They could just as easily download your raw templates anyway - those are going to be public, so they're not exactly a secret. So here you are just looking for consistent behavior that "makes sense".

第一个很容易。绘制一个空的收件箱是没用的。使用cookie的存在来启用此行为,那么如果它被“黑客攻击”怎么办?用户能够看到空的收件箱吗?这没有价值。无论如何,他们可以轻松地下载你的原始模板 - 那些将是公开的,所以它们并不是一个秘密。所以在这里你只是寻找“有意义”的一致行为。

The one thing you do normally worry about in the client is things like cookie theft and man-in-the-middle attacks. There are various techniques for combating this and you should explore them. They're too long to cover here, and aren't specific to AngularJS.

你通常在客户端担心的一件事就是cookie盗窃和中间人攻击。有各种解决方法,你应该探索它们。它们在这里覆盖的时间太长,并不是AngularJS特有的。

For the second problem, now you must validate the user's session. To prevent cookie theft in addition to what you are already hashing it's common to include things like a nonce from a 2-step auth cycle (common in OAuth) and other things like perhaps the user's IP address. This is a pain in mobile apps where it might change, but still fairly common. In practice, it's hard to do this en-masse and most hackers want to do big compromises, not just hack one user... but you should still do your due diligence here.

对于第二个问题,现在您必须验证用户的会话。除了你已经散列的内容之外,为了防止cookie被盗,通常包括来自2步auth周期(在OAuth中常见)的nonce和其他东西,比如用户的IP地址。这在移动应用程序中可能会发生变化,但仍然很常见。在实践中,很难做到这一点并且大多数黑客都希望做出重大妥协,而不仅仅是破解一个用户......但你仍然应该在这里进行尽职调查。

Your scheme "probably" does these things but since you are only summarizing it there is still a lot to cover. One comment I would add is that for purely API-driven applications, it's becoming more common to use just raw headers, not cookies. They're a little harder to steal - not impossible, but anything you can do to reduce your attack surface is a Good Thing(tm).

你的计划“可能”做了这些事情,但由于你只是总结它,还有很多东西要涵盖。我要补充的一点是,对于纯粹的API驱动的应用程序,使用原始标头而不是cookie变得越来越普遍。他们有点难以偷窃 - 并非不可能,但你可以采取的任何措施来减少你的攻击面都是一件好事(tm)。

In the end I think you will find that very little of this applies to AngularJS. Select an appropriate authentication scheme for your entire application, and there will almost certainly be a way to integrate it into Angular.

最后我想你会发现很少有这个适用于AngularJS。为整个应用程序选择适当的身份验证方案,几乎可以肯定有一种方法将其集成到Angular中。

1 个解决方案

#1

更多相关文章

随机推荐