使用Firebase和Electron管理会话Cookie [英] Managing Session Cookies with Firebase and Electron

问题描述

我试图在我的Node服务器(这是Electron应用程序的后端)中设置会话cookie.我正在尝试遵循本指南.

I am trying to set up session cookies in my Node server, which is the backend for an Electron app. I am trying to follow this guide.

https://firebase.google.com/docs/auth/admin/manage-cookies

让我感到困惑的第一件事是该函数来自登录"部分: const csrfToken = getCookie('csrfToken')是'getCookie'是我应该使用的函数写我自己?

The first thing I am confused about is where this function comes from in the "Sign In" section: const csrfToken = getCookie('csrfToken') Is 'getCookie' a function I am supposed to write myself?

我也不完全遵循创建会话cookie"代码段的逻辑:

I am also not fully following the logic of the "create session cookie" snippet:

const csrfToken = req.body.csrfToken.toString();
  // Guard against CSRF attacks.
  if (csrfToken !== req.cookies.csrfToken) {
    res.status(401).send('UNAUTHORIZED REQUEST!');
    return;
  }

因此，这似乎是在检查请求正文的CSRF令牌是否与请求cookie的CSRF令牌中设置的相同?这是因为有人可能会手动设置CSRF令牌(即使用邮递员)，但由于该请求不在 req.cookies 中而无法通过?这是否意味着不应该在其客户端代码中设置req.cookies?

So this looks like it's checking to see if the request body's CSRF token is the same thing set in the request cookie's CSRF token? Is this because someone might set the CSRF token manually (i.e. using Postman) but such a request won't go through because it's not in req.cookies? Does this imply that one is not supposed to be setting req.cookies in their client-side code?

推荐答案

getCookie 基本上是一个cookie获取器.您可以自己编写它，也可以在线查找实现.对于CSRF检查，这是针对CSRF攻击的基本防御措施.CSRF令牌在cookie中设置，然后返回到帖子正文中.后端将确认cookie中的CSRF令牌与POST正文中的令牌匹配.基本上，这里的想法是只有来自您网站的请求才能读取Cookie，并将其传递到POST正文中的请求中.如果请求来自另一个网站，则他们将无法读取Cookie并将其传递到POST正文中.尽管CSRF令牌cookie总是从请求中传递过来，即使它来自其他来源，但该令牌在POST正文中将不可用.

getCookie is a basically a cookie getter. You can write it yourself or lookup the implementation online. As for the CSRF check, this is a basic defense against CSRF attacks. The CSRF token is set in a cookie and then returned back in the post body. The backend will confirm that the CSRF token in the cookie matches the token in the POST body. Basically the idea here is that only requests coming from your website can read the cookie and pass it in the request in the POST body. If the request is coming from another website, they will not be able to read the cookie and pass it in the POST body. While the CSRF token cookie will be always be passed along the request even when coming from other origins, the token will not be available in the POST body.

可以在以下位置获得快速启动node.js的实现: https://github.com/firebase/quickstart-nodejs/tree/master/auth-sessions

A quickstart node.js implementation is available at: https://github.com/firebase/quickstart-nodejs/tree/master/auth-sessions

这篇关于使用Firebase和Electron管理会话Cookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！