如何安全地使用 Web 应用程序的密钥实现访问? [英] How to safely implement access with a key for a web application?

问题描述

我正在开发一个 Rails 应用程序，用户无需注册即可在其中添加帖子.我想生成一个随机的、唯一的密钥并提供一个链接来编辑他们的帖子，例如:http://mygreatapp.com/post/edit/f7smSDf34Sad .Craigslist 使用了类似的方法.

I am working on a Rails application where users can add posts without registration. I want to generate a random, unique key and provide a link to edit their post, for example: http://mygreatapp.com/post/edit/f7smSDf34Sad . Similar approach is used by Craigslist.

我的想法是在创建帖子时生成一个随机的、唯一的字符串，并将其与其他帖子数据一起保存在数据库中.然后检查数据库中的字符串是否与请求中的字符串匹配.解决方案安全吗?

My idea was to generate a random, unique string on post creation and save it in the database, together with other post data. Then check if the string in the databases matches the one in the request. Is the solution safe?

您将如何实施它?

感谢您的回复.但是，生成随机字符串不是问题.数据库中的安全性和实施是我关心的问题.

Thanks for responses. However, generating random strings is not an issue. Safety and implementation in the database is my concern.

推荐答案

如果我要实现这个，我会使用 friendly_id gem，因为您基本上要做的是为数据库中的每条记录创建一个唯一的 slug.Friendly_id 默认会使用一列来创建 slug.您可以告诉friendly_id 使用id 列，然后覆盖它们的normalize_friendly_id 方法.

If I were going to implement this I would use the friendly_id gem since what you're basically doing is creating a unique slug for each record in your DB. friendly_id by default will use a column to create the slug. You could tell friendly_id to use the id column and then override their normalize_friendly_id method.

在该方法中，您将生成一个唯一的字符串，然后将其返回.此方法返回的文本是friendly_id 将用于生成您的slug 的内容.

In that method you would generate a unique string and then return it. The text that is returned by this method is what friendly_id will use to generate your slug.

要生成 slug，您可以简单地使用 MD5 哈希，或者您可以执行类似 这个:

To generate the slug you could simply use an MD5 hash or you could do something like this:

(0...50).map{ ('a'..'z').to_a[rand(26)] }.join

使用这种方法而不是简单地自己创建/存储 slug 的好处是你不必做 Post::find_by_slug(slug)，你仍然可以使用 Post::find(slug) 因为friendly_id 处理通过slug 查找记录.

The benefit to using this approach instead of simply creating/storing the slug yourself is that you won't have to do Post::find_by_slug(slug), you can still use Post::find(slug) because friendly_id handles looking up the record by the slug.

有一个 Railscasts 插曲涵盖了friendly_id gem

There is a Railscasts episode that covers the friendly_id gem

这篇关于如何安全地使用 Web 应用程序的密钥实现访问?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！