令牌被盗时如何添加额外的JWT安全层 [英] How to add extra layer of jwt security when the token is stolen

问题描述

我正在使用jwt.我有一些管理路线.我将令牌保存在localStorage中.在我的令牌的有效负载中，我还具有admin属性，该属性为true或false.我想知道如果某个用户的管理员"令牌被盗了，而恶意用户在localStorage中的旧非管理员"令牌被替换为管理员"令牌，那么他将可以访问管理员路由.

I am using jwt. I have some admin routes. I save the token in localStorage. In the payload of my token i have also admin property which is true or false. I wonder what if the 'admin' token from some user is stolen, and the old 'non-admin' token in the localStorage from the malicious user is replaced with the 'admin' token, then he will have access to the admin routes.

以某种方式防止这种情况:

To prevent this on some way:

• 例如，我将在10分钟内刷新令牌(但恶意用户在那10分钟内会做很多不好的事情-从数据库中删除用户，删除配置等).还有什么其他方法可以防止这种10分钟的可能的攻击"

• I will refresh the token on 10 minutes for example ( but the malicious user can do a lot of bad thinkgs in that 10 minutes - delete users from DB, delete configurations etc...). Is there any other way to prevent and this 10 minutes 'possible attack'

将令牌保存在httpOnly中，并保护cookie.是否100％确定如果我将令牌存储在这种cookie中，并且没人可以对其进行编辑?因此，当管理员"令牌被盗时，恶意用户不能像在localStorage中那样复制粘贴新令牌吗?

Save the token in httpOnly and secure cookie. Is 100% sure that if i store my token in this kind of cookie, and nobody can edit it ? so when the 'admin' token is stolen the malicous user can't just copy paste the new token, like he could in localStorage ?

推荐答案

不要将令牌保存在LocalStorage中，因为js可以访问该令牌，这意味着任何XSS攻击都可以访问该令牌.

Don't save the token in LocalStorage since it is accessible to js, which means any XSS attack will have an access to the token.

使用2种令牌，

1. 短期访问令牌(10分钟)，它将附加到每个api请求中，其中必须包含不能猜测"某种哈希的内容，通过它您可以在服务器端识别用户，它将保存在内存中.
2. 长期刷新令牌(至少12小时)，它将保存在 httpOnly + secure cookie中.它有一个目的，您的应用可以使用它生成一个新的访问令牌(过期时).它必须不包含任何猜测"的哈希来标识用户.

1. Short term access token (10 mins), it will be attached to each api request, it must contain something that is none "guess"ible some kind of hash, with it you will identify the user on the server side, it will be saved in memory.
2. Long term refresh token (12 hours or more), it will be saved in httpOnly + secure cookie. It has one purpose, with it your app can generated a new access token (when it expires). It must contain none "guess"ible hash to identify a user.

这将使您的系统更坚固.如果有人以某种方式获得了accessToken，它将在10分钟后过期，如果没有它，您的api将拒绝请求.窃取httpOnly +安全cookie的难度要大得多，如果有人设法窃取了它，则可以撤消"该请求.令牌中的哈希值，因此它将变得无用.

This will make your system much robust. If someone get somehow the accessToken, it will be expired in 10 mins, without it your api will refuse requests. It is much harder to steal httpOnly + secure cookie, if someone managed to steal it, you can "revoke" the hash inside the token, so, it will become useless.

通过吊销，很简单，就是在db中为特定用户/整个数据库生成新的哈希.

By revoking, it is simple as generate new hash in the db for the specific user/ entire db.

我总是建议阅读此 https://hasura.io/blog/使用jwt-with-graphql的最佳实践/

其中介绍了有关accessToken + refreshToken的整个思想.

The entire idea on accessToken + refreshToken is explain there.

我的一些代码示例调用了Axios拦截器响应令牌刷新API，但无论是否使用refreshToken API&整理所有API

这篇关于令牌被盗时如何添加额外的JWT安全层的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！