JSON Web Token (JWT) 作为电子邮件激活的 URL [英] JSON Web Token (JWT) as a url for email activation

问题描述

将 JWT 作为电子邮件中的激活 url 有多安全?

How secure it is to make JWT as the activation url in email?

例如:点击链接激活您的帐户 http://127.0.0.1:8000/account/activate/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ0b3B0YWwuY29tIiwiZXhwIjoxNDI2NDIwODAwLCJodHRwOi8vdG9wdGFsLmNvbS9qd3RfY2xhaW1zL2lzX2FkbWluIjp0cnVlLCJjb21wYW55IjoiVG9wdGFsIiwiYXdlc29tZSI6dHJ1ZX0.yRQYnWzskCZUxPwaQupWkiUzKELZ49eM7oWxAQK_ZXw

For example: Click link to activate your account http://127.0.0.1:8000/account/activate/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ0b3B0YWwuY29tIiwiZXhwIjoxNDI2NDIwODAwLCJodHRwOi8vdG9wdGFsLmNvbS9qd3RfY2xhaW1zL2lzX2FkbWluIjp0cnVlLCJjb21wYW55IjoiVG9wdGFsIiwiYXdlc29tZSI6dHJ1ZX0.yRQYnWzskCZUxPwaQupWkiUzKELZ49eM7oWxAQK_ZXw

推荐答案

您链接到的常见问题解答 说:

在 url 中使用 JWT 令牌的用例是:

Use-cases for a JWT token in a url are:

• 帐户验证 - 当您在某人在您的网站上注册后通过电子邮件发送链接时.https://yoursite.co/account/verify?token=jwt.goes.here
• 密码重置 - 确保重置密码的人可以访问属于该帐户的电子邮件.https://yoursite.co/account/reset-password?token=jwt.goes.here

这两个都是一次性令牌的理想候选者(点击后过期).

Both of these are good candidates for single-use tokens (which expire after they have been clicked).

所以，是的.只需确保每封电子邮件只能激活一次(不要使用示例中可怕的秘密"密钥，如果可以伪造签名，则可以绕过您的验证).

So, yes. Just make sure that each email can be activated only once (and don't use the terrible "secret" key from your example, if the signature can be faked, then your verification can be bypassed).

这篇关于JSON Web Token (JWT) 作为电子邮件激活的 URL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！