存储Autodesk-Forge刷新令牌的最佳方法 [英] Best Way to Store Autodesk-Forge Refresh Tokens

问题描述

当前，我正在使用Autodesk-forge查看器和Fusion360构建Web应用程序.我的项目类似于此教程，在该教程中，我只需要授权一次m帐户，然后用户就可以使用刷新令牌可以查看我帐户中的模型.目前，我正在使用MySQL存储刷新令牌.目前，我的表中只有一列和一行，并且每次生成新的刷新令牌时，它都会替换一行中的旧刷新令牌.我的刷新令牌的代码如下:

currently I am building a web application using the autodesk-forge viewer and fusion360. My project is similar to this tutorial where I only have to authorize m account once and then users can use refresh tokens to be able to view the models within my account. Currently I am using MySQL to store my refresh token. I currently only have one column and one row within my table and every time a new refresh token is generated, it replaces the old one inside the one row. My code for refreshing the token looks as follows:

 $rToken = $_POST['Value'];
  $query = "UPDATE tblMachineViewerToken SET Value='$rToken'";

因此，每次生成新的刷新令牌时，表中的一行都会更新.这是一种存储刷新令牌的适当方法，因为我有几次不得不重新授权我的帐户的实例.任何帮助深表感谢.干杯！

So the one row in the table is updated every time a new refresh token is generated. Is this an adequate way to store the refresh token, as I have had a couple instances where I have had to authorize my account again. Any help is much appreciated. Cheers!

推荐答案

在没有看到代码的情况下，很难知道问题可能是什么，但是很可能您收到了过期的refresh_token或并发问题.在我回答您的问题之前，让我们假设您将access_token和refresh_token存储在数据库中.从安全角度来看，从单个BIM360用户向您的许多用户共享令牌是危险的.这意味着您的所有用户都可以在不知情的情况下以您的权限代表您访问您的数据，并且如果发生错误，您将永远不会知道谁做了什么.

Without seeing your code it is hard to know what the issue could be, but it is very likely that you got either an expired refresh_token or a concurrency issue. Before I jump into answering your questions, let's assume you store the access_token and refresh_token in your database. From a security perspective, it is dangerous to share a token from a single BIM360 user to many of your users. It means that all your users can access your data on your behalf with your privileges without you knowing, and in case something wrong happens, you would never know who did what.

要再次讨论您的问题，假设userA和userB同时访问您的应用程序(相差几毫秒)；您的userA应用程序在执行刷新过程时检测到需要刷新access_token；userB也访问您的应用程序，并且您的应用程序还检测到令牌需要刷新，因为userA的刷新任务尚未完成.在这种情况下，由于refresh_token只能使用一次，因此用户刷新任务之一将返回一个空令牌，您将失去连接.您需要确保您的代码作为单例任务运行，并保留所有其他请求以等待该任务完成.

To come back on your issue, let's say that userA and userB access your application at the same time (few milliseconds difference); your application for userA detects that it needs to refresh the access_token, while doing the refresh process; userB access your application as well, and your application also detects the token needs a refresh, because userA refresh tasks hasn't yet completed. In that case and because a refresh_token can be used only once, one of the user refresh tasks will return an empty token, and you would loose the connection. You need to make sure that your code runs as a singleton task, and keeps all other requests waiting for that task to complete.

另一个简单的原因是，给定的refresh_token仅有效14天，因此您需要确保至少每14天刷新一次access_token和refresh_token.

Another simple reason is that a given refresh_token is only valid 14 days, so you need to make sure to refresh the access_token and refresh_token at least once every 14 days.

这篇关于存储Autodesk-Forge刷新令牌的最佳方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！