未经身份验证的laravel事件广播的安全风险是什么 [英] what's the security risks of unauthenticated laravel event broadcasting

问题描述

我需要知道在Laravel中使用未经授权的事件广播有哪些安全隐患.

I need to know what are the security risks of using unauthorized event broadcasting in Laravel.

我将angular-js用于我的front-end和Laravel作为back-end API，我打算使用Laravel事件广播(socket.io + redis)，我想知道那里如果我在未经身份验证的情况下向前端广播了不重要的公共数据，是否存在安全隐患?

I'm using angular-js for my front-end and Laravel as back-end API, I'm intending to use Laravel event broadcasting (socket.io + redis), I want to know is there any security risk, if I broadcast unimportant, public data to the front-end while it's not authenticated?

谢谢.

推荐答案

我认为范例与传统的Web应用程序或API并没有什么不同.存在相同的问题，与套接字无关.您的体系结构现在包含socket.io/nodeJS的事实，这意味着身份验证要涉及更多一点.当您从与文件系统和单个服务器的正在进行的会话转移到服务器池并说说memcached或用于会话的数据库时，它改变了身份验证的处理方式，而不是对身份验证的需求.因此，从某些方面来说，这就像您是在寻求许可以解决此问题:)

I don't think the paradigm is really any different from a traditional web application or API. The same concerns exist and it has nothing to do with sockets. The fact that your architecture now has socket.io/nodeJS in the mix just means that authentication is a little more involved. When you moved from a doing sessions with a file system and a single server, to a pool of servers and say memcached or a database for sessions, it changed how handled authentication, not the need for it. So in some ways it feel like you are asking for permission to cop out on this :)

尽管只有您可以说出您的应用程序是否需要它.如果您说的是不重要且不公开的...您是否可能需要身份验证才能在传统Web应用程序的站点页面上查看它?你只是懒惰吗?

Really though only you can say if it is needed for your application. If it's like you say, unimportant and public... would you likely require authentication to view it on a page in your site in a traditional web app? Are you just being lazy?

1)滥用.我可以修改请求以遍历一些ID来收获任何有用的信息吗?

1) Abuse. Can I modify a request to iterate over some ID to harvest any useful information?

2)错失良机. Node后端会增长吗?在某个时候，您会后悔在那里没有经过身份验证的用户吗?

2) Missed opportunity. Will the Node backend grow? At some point will you regret not having an authenticated user available there?

3)拒绝服务.我可以提出高成本要求并耗尽资源吗?

3) Denial of Service. Can I make high cost requests and exhaust resources?

可能我想念的其他人.只是我的两分钱.我稍后将尝试在您的问题中提供一个示例，通过用于广播频道的socket.io对laravel护照进行授权

Probably others I'm missing. Just my two cents. I'll try to provide an example later on your question, Authorization for laravel passport through socket.io for broadcasting channels

这篇关于未经身份验证的laravel事件广播的安全风险是什么的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！