定制设计api令牌验证 [英] Custom devise api token auth
问题描述
使用令牌身份验证找到注册用户的最佳方式是什么?我目前的方法是查询数据库的应用程序发送的令牌访问api。例如。 'user = User.where(:authentication_token => params [:authtoken])。这是安全吗?
What is the best way to find a registered user with token authentication? The way I currently do it is to query the db for the token the app sends to access the api. E.g. 'user = User.where(:authentication_token => params[:authtoken]).first '. Is this safe?
我看到使用warden.authenticate的代码,另一个使用ff:客户端发送电子邮件与authtoken。然后,它使用电子邮件找到用户,然后与发送的令牌和在db电子邮件查询中找到的用户的令牌进行设计安全比较。这是在设计令牌中的解决方案,可以将您自己的令牌auth卷起来。
I have seen code that uses warden.authenticate and another that does the ff: the client sends the email along with the authtoken. It then uses the email to find the user and then does a devise secure compare with the sent token and the token of the user it found in the db email query. This was the solution in the devise token authenticable gist to roll your own token auth.
我应该在每个请求中发送一个电子邮件以及令牌吗?
Should i be sending an email along with token in every request?
推荐答案
由于安全性问题,Devise移除了token_authenticateable,但如您所建议的,您仍然可以自行实施。这个要点有一些很好的讨论和建议: https://gist.github.com/josevalim/fb706b1e933ef01e4fb6
Devise removed token_authenticateable due to security concerns, but as you've suggested you can still implement it yourself. There is some good discussion and recommendations in this gist: https://gist.github.com/josevalim/fb706b1e933ef01e4fb6
具体来说,我将看一下 Devise.secure_compare ,在第二个解决方案中使用,并关注您的方法的安全性,特别是在时序攻击方面。
Specifically I would take a look at Devise.secure_compare which is used in the second solution and takes care of some of your concerns around the safety of your approach, especially with regard to timing attacks.
这篇关于定制设计api令牌验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
