服务器上的Cordova指纹认证 [英] Cordova fingerprint authentication on server
问题描述
我正在尝试在我的(cordova)应用程序中为Android创建一种身份验证机制,该机制将允许我的用户使用密码和用户名登录,或者允许他们扫描手指以登录.
I am trying to create a authentication mechanism in my (cordova) app for android that will allow my users to sign in using a password and username, or allow them to scan their finger in order to sign in.
如何验证在服务器端的客户端上注册的指纹?使用Cordova甚至可以做到吗?我尝试将手指扫描的结果传输到我的服务器:看起来像这样:
How can one verify a fingerprint registered on a client, server side? is this even possible at all using Cordova ? I tried transmitting the result of a finger scan to my server: this looked like:
FingerprintAuth.isAvailable(function(result) {
if (result.isAvailable) {
if(result.hasEnrolledFingerprints){
FingerprintAuth.show({
clientId: client_id,
clientSecret: client_secret
}, function (result) {
alert(JSON.stringify(result));
$http.post('http://192.168.149.33:3000/authorize', result).then(
function(response) {}
);
if (result.withFingerprint) {
$scope.$parent.loggedIn = true;
alert("Successfully authenticated using a fingerprint");
$location.path( "/home" );
} else if (result.withPassword) {
alert("Authenticated with backup password");
}
}, function(error) {
console.log(error); // "Fingerprint authentication not available"
});
} else {
alert("Fingerprint auth available, but no fingerprint registered on the device");
}
}
}, function(message) {
alert("Cannot detect fingerprint device : "+ message);
});
服务器端我正在接收以下数据(3次单独扫描):
Server side i am receiving the following data (3 seperate scans):
{ withFingerprint: 't8haYq36fmBPUEPbVjiWOaBLjMPBeUNP/BTOkoVtZ2ZiX20eBVzZAs3dn6PW/R4E\n' }
{ withFingerprint: 'rA9H+MIoQR3au9pqgLAi/EOCRA9b0Wx1AvzC/taGIUc8cCeDfzfiDZkxNy5U4joB\n' }
{ withFingerprint: 'MMyJm46O8MTxsa9aofKUS9fZW3OZVG7ojD+XspO71LWVy4TZh2FtvPtfjJFnj7Sy\n' }
模式似乎每次都在变化,有没有一种方法可以将指纹链接到例如用户在数据库中保存的模式?
The patterns seems to vary every time, is there a way one can link the finger print to for example a pattern saved under a user on a database ?
推荐答案
简短答案
此API返回的字符串不是指纹模式".因此,您将无法验证您的思维方式...
The strings returned by this API are not "fingerprint patterns". So you won't be able to authenticate the way you're thinking...
好答案
让我们首先查看API的源代码看起来您正在使用.
Let's start by looking at the source code of the API it looks like you're using.
查看此文件我们看到了以下方法:
Looking at this file we see these methods:
public static void onAuthenticated(boolean withFingerprint) {
JSONObject resultJson = new JSONObject();
String errorMessage = "";
boolean createdResultJson = false;
try {
if (withFingerprint) {
// If the user has authenticated with fingerprint, verify that using cryptography and
// then return the encrypted token
byte[] encrypted = tryEncrypt();
resultJson.put("withFingerprint", Base64.encodeToString(encrypted, 0 /* flags */));
} else {
// Authentication happened with backup password.
resultJson.put("withPassword", true);
// if failed to init cipher because of InvalidKeyException, create new key
if (!initCipher()) {
createKey();
}
}
createdResultJson = true;
// ...
/**
* Tries to encrypt some data with the generated key in {@link #createKey} which is
* only works if the user has just authenticated via fingerprint.
*/
private static byte[] tryEncrypt() throws BadPaddingException, IllegalBlockSizeException {
return mCipher.doFinal(mClientSecret.getBytes());
}
看看要放入"withFingerprint"的内容.它是加密客户端机密的Base64编码.从技术上讲,这是您的身份验证.您将使用此令牌对请求进行身份验证,而服务器将解密并验证客户端机密.
Look at what's being put to "withFingerprint". It's a Base64 encoding of the encrypted client secret. Technically, this is your authentication. You would use this token to authenticate requests and your server would decrypt and validate the client secret.
摘要
指纹添加了一定程度的安全性,但这并不是唯一的安全性手段.需要事先与设备和服务器建立关系.
Fingerprinting adds a level of security, but it is not the only means of security. A relationship needs to be established with the device and server beforehand.
我发现此图有助于理解android指纹身份验证的意图(参考:
I found this diagram to be helpful in understanding the intent of android's fingerprint authentication (ref: http://android-developers.blogspot.com/2015/10/new-in-android-samples-authenticating.html)
这篇关于服务器上的Cordova指纹认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
