Meteor:从 S3 获取的图像的端点 - 如何验证连接? [英] Meteor: Endpoint for images fetched from S3 - How to authenticate connection?

问题描述

我们在 S3 中存储了需要提供给客户端的加密图像，这意味着我们无法向客户端提供 img src 的 S3 URL.这些文件也可能很大，所以理想情况下我们不希望通过 js.

We have encrypted images stored in S3 that we need to serve to clients, meaning that we cannot give clients S3 URLs for the img src. The files are also potentially large, so idealy we would like to not go through js.

由于没有可用的服务器端路由，我们将沿着在 Meteor 中进行单独快速设置的路线走下去，这是可行的，因为客户端的路由器不会干扰

我们可以将 Auth 令牌添加到 src url 并戳数据库，但我们很警惕这样做，因为它会在 DOM 和用户制作的复制面食中公开令牌.

With no serverside routing available we were going down the route of having a separate express setup in Meteor, and this works, since the router on the client side doesn't interfere with

We could add the Auth token to the src url and poke the DB, but we're wary of doing so as it would expose the token in the DOM and in copy pasta cooked up by the users.

有什么好的方法可以让它正常工作吗?是否可以配置其他路由器以在特定 URL 上提供 angular 应用程序?

Is there a good way of getting this to work properly? Is it posible to configure other routers to serve up the angular app on a specific URL maybe?

欢迎任何输入:)

app = Express();

app.get('/order/:orderID/image/:UUID', function(mainReq, mainRes) {
// TODO: security check, but not getting current loggedin user info
// There are no cookies, only the DDP connection is authenticated (?)

console.log(Meteor.userId()); // fails

// S3 fetch and decrypt here

});

推荐答案

答案是:

无法使用开箱即用的 Meteor.如果您想限制 HTTP 请求，请自行决定.

It's not possible using out of the box Meteor. If you wanna restrict HTTP requests, you're on your own.

Meteor 不使用 cookie(有意且有充分理由；https://blog.meteor.com/why-meteor-doesnt-use-session-cookies-e988544f52c9)，而是只对 DDP websocket 连接进行身份验证，因此对服务器的任何 HTTP 请求进行身份验证未以任何方式进行身份验证.有几个包试图处理这些事情，本文解释了一种将身份验证令牌(和用户 ID)放入 url 的方法:https://blog.kayla.com.au/server-side-route-authentication-in-meteor/这样做的问题是，您随后将令牌暴露在 DOM 中，任何浏览器扩展都可以读取它，并且用户将能够复制/粘贴 url 并将其发送给其他人.这可能会导致会话劫持.

Meteor doesn't use cookies (on purpose and for good reason; https://blog.meteor.com/why-meteor-doesnt-use-session-cookies-e988544f52c9), but instead only ever authenticate the DDP websocket connection, and hence any HTTP request to the server is not authed in any way. There are a few packages that tries to handle these things, and this article explains a way of putting the auth token (and the user ID) into the url: https://blog.kayla.com.au/server-side-route-authentication-in-meteor/ The problem with this is that you then expose the token in the DOM, and any browser extension would be able to read it, and the user would be able to copy/paste the url and send it to others. This could end up in session hijacking.

如果您想对 HTTP 请求进行身份验证，您将不得不寻找一个写入 cookie 的包(如果您正在执行操作并防止 CSRF 攻击)，或者让用户每次都提供用户名/密码.

If you wanna authenticate HTTP requests, you will have to wither find a package that write a cookie (and prevents CSRF attacks if you're doing actions) or have the user supply the username/password each time.

对于我的情况，让客户端在客户端登录时使用身份验证令牌编写 cookie 就足够了.然后它将与请求一起发送，并且可以在服务器端进行检查.由于我所做的只是发回一张图片，因此阻止 CSRF 对我来说并不是必需的，因此在阅读以下代码片段时要注意这一点 og 如何让客户端向服务器发送 cookie:

For my situation it is sufficient to have the client side write a cookie with the auth token on login on the client. It will then be sent with the request and can be checked server side. Since all I'm doing is send back a picture, it's not nessaccary to prevent CSRF for me, so beware of that while reading the snippets below og how to have the client send a cookie to the server:

Accounts.onLogin(() => {
  removeExistingCookie(cookieName);
  document.cookie = "loginToken=" + localStorage['Meteor.loginToken'] + "; domain=" + document.location.hostname + "; path=/; expires=" + expiryTime + ";secure"
});

然后你必须解析服务器上的 cookie 标头并使用类似这样的东西来验证服务器上的请求

Then you'll have to parse the cookie header on the server and auth the request on the server using something like this

let cookieParser = Npm.require('cookie-parser');

app = Express();
app.use(cookieParser());

app.get('/order/:orderID/image/:UUID', function(mainReq, mainRes) {

    let loginToken = mainReq.cookies["loginToken"];
    if (!loginToken) {
        mainRes.status(404).send();
        return;
    }

    let hashedToken = Accounts._hashLoginToken(loginToken),
        sessionBelongsToUser = Meteor.users.findOne(
        {
            'services.resume.loginTokens.hashedToken': hashedToken,
        });

    if (!sessionBelongsToUser) {
        mainRes.status(404).send();
        return;
    }

这篇关于Meteor:从 S3 获取的图像的端点 - 如何验证连接?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！