在不使用表单的情况下从javascript应用程序从节点服务器获取JWT令牌的最佳安全方法是什么? [英] What is the best secure way to get a JWT token from a node server from a javascript app without using a form?
问题描述
就我而言,我有一个React应用程序(使用Next),需要使用node/express/mysql应用程序提供的API.
我的想法是要有一个端点(/login)提供基于user/password的JWT令牌(检查数据库中的用户并根据用户ID创建令牌),然后使用JWT令牌使用API端点(这些令牌也存储在mysql中).但是为了做到这一点,并且由于没有表单,我将不得不在客户端应用程序中存储凭据(user和password),因此任何人都可以读取.我的做法是否正确?如果不正确,还有哪些其他方法可以安全地使客户端APP使用API端点?
React和Node/Express在同一个域中,默认情况下,根据我所读的内容,CORS是默认设置的.另外,HTTPS被激活.
基本上, JWT使您可以避免完全使用会话&为了不将它们存储在数据库中, JWT就像您给用户的护照,其中说明了他的用户名(ID,例如用户名),角色&其他任何数据(如果有人看到的话都不敏感), ,所以您永远不要在JWT中存储密码
JWT的安全性基本上在于没有其他实体可以模仿它(如果您使用强密钥进行签名).尽管可以对JWT进行加密,但是只要您不将敏感数据放入其中,就不必对其进行加密.我认为您应该尝试查看此网站,以了解签名如何保护JWT的真实性
因此,您应该制作/login API,这将检查您的用户凭据&然后给他JWT(例如,以角色"admin"表示他是用户"joe")&然后您检查&在您的过滤器中验证此JWT,以对&授权用户在您的网络应用中执行操作
要获得JWT,用户必须通过HTTPS连接向您提供其凭据,这将使连接本身被加密,从而保护其凭据免遭窃听或中间人攻击
In my case, I have a React app (using Next) that need to use an API provided by a node / express / mysql app.
My idea was to have an endpoint (/login) to provide a JWT Token based on user / password (that check the user in the database and create token based on the id of the user) and then use the JWT token to use the API endpoints (those token are stored in the mysql as well). But in order to do that, and because there is no form, I would have to store the credentials (user and password) in the client side app and therefore would be readable by anyone. Am I doing things right and if not, what are the other options to securely make the client side APP use the API endpoints ?
The React and the Node / Express are on the same domain and CORS is set by default by express from what I read. Also, HTTPS is activated.
Basically the JWTs allow you to avoid using sessions completely & to not store them in DB, a JWT is like a passport that you give to a user, that states his (ID, maybe username for example), role & any other data (that is insensitive if someone sees), so you should never store a password in a JWT
Security of the JWT basically lies in the fact of that no other entity can imitate it (if you use a strong key for signature) & although possible to encrypt your JWT, you don't have to encrypt it as long as you don't put sensitive data in it. I think you should try to have a look on this website to see how the signature protects the authenticity of the JWT
So you should make the /login API, this will check your user credentials & then give him the JWT (that states he is user 'joe' for example with the role 'admin') & then you check & verify this JWT in your filters to authenticate & authorise the user for the actions in your webapp
To get the JWT, a user must provide his credentials to you in a HTTPS connection, which will make the connection itself encrypted, thus protecting his credentials from eavesdropping or man-in-the-middle attacks
这篇关于在不使用表单的情况下从javascript应用程序从节点服务器获取JWT令牌的最佳安全方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
