如何在NodeJS中使用生成的随机数并在没有数据库调用的情况下进行验证? [英] How to use a generated nonce in NodeJS and do validation without a database call?
问题描述
我正在生成一个随机数来验证向导步骤,以确保它一个接一个的安全.
I am generating a nonce to validate the wizard steps to secure it one after another.
我知道如何在nodejs中创建随机数并将其存储在数据库中,以确保它可以使用一次.
I know how to create the nonce in nodejs and store the same in database to make sure it can be used once.
但是我想知道,是否有一个想法可以像上述那样仅生成一次并验证一次随机数,并且如果可能的话,可以在一定的期限内使用(到期)而无需将其存储在数据库中,而是简单地在一个向导步骤中将其返回给客户端,并在下一步中对其进行验证.
But I was wondering, whether there is an idea to generate and validate a nonce as above like to be used only once and if possible, can be used within a time limit (expiry) without storing the same in the database but simply returning it to the client in one wizard step and validate the same on the next step.
我通常使用以下方法来生成随机数,将其标准化并将其存储在mongodb中,并具有一定的到期时间,以便mongodb在特定时间后将其删除(如果未使用的话).
I normally use the below method to generate the nonce, normalize it and store it in a mongodb with a time to expire so that mongodb will delete it after a particular time if its not been used.
var crypto = require('crypto');
crypto.randomBytes(32, function (err, bytes) {
if (err) {
next(err);
} else {
next(null, normalize(bytes));
}
});
请提出是否有比该方法更好的/优化的随机数生成方法,以及是否有可能无需数据库调用即可处理一次使用和到期.
Please suggest if any good/optimized way of generating the nonce than this and a possibility to take care of the one time usage and expiry without a database call.
推荐答案
始终最好有一个数据库来存储和验证nonce.为了限制时间,您可以使用到期的mongodb,也可以生成时间戳,然后生成带有时间戳的现成hmac,即现时&私钥.然后发送随机数,时间戳& hmac到客户端.这样,如果数据库不支持mongodb的文档到期时间,则还可以保护时间戳记,并且可以将nonce限制为特定的时间.希望它能解释.
It's always better practise to have a database to store and validate the nonce. To restrict with time, either you can use a mongodb with expiry or you can generate the timestamp, then generate a hmac with timestamp, nonce & private key. Then send the nonce, timestamp & hmac to the client. This way you can secure the timestamp as well you can restrict the nonce with particular time if your database is not supporting the document expiry as mongodb. Hope it explains.
这篇关于如何在NodeJS中使用生成的随机数并在没有数据库调用的情况下进行验证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
