在安装时在Greasemonkey脚本中存储用户登录/密码输入 [英] Storing user login/password input in a Greasemonkey script on install
问题描述
我正在做一个Greasemonkey脚本,它通过REST API与Redmine票证管理器进行通信。
由于用户需要登录才能从Redmine获取数据,我需要一种方法在脚本安装时询问用户的凭据并将其保存到脚本中。
I'm doing a Greasemonkey script that communicates with the Redmine ticket manager through the REST API. As the user needs to login to get the data from Redmine, I need a way to ask the user for his credentials at script installation and save them to the script.
这可以在不要求用户直接在脚本中编辑值的情况下实现吗?
Can this be achieved without asking the user to edit the values directly in the script itself?
编辑:
因为已经存在回答这个问题我将验证下面给出的答案,因为它是一个非常好的框架。
Since there is already an answer to this question I will validate the answer given just below as it is a very good framework.
推荐答案
这是一个框架获取和存储登录凭据。† 脚本在第一次运行时提示输入信息,并使用 GM_setValue()将其加密。
Here is a framework for getting and storing login credentials.† The script prompts for the information on the very first run and stores it, encrypted, using GM_setValue().
它还在Greasemonkey上下文菜单中添加两个项目以允许更改用户名或密码。
It also adds two items to the Greasemonkey context menu to allow changing the username or password.
// ==UserScript==
// @name _Autologin, sensitive info framework
// @include http://YOUR_SERVER.COM/YOUR_PATH/*
// @require http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js
// @require http://crypto.stanford.edu/sjcl/sjcl.js
// @grant GM_getValue
// @grant GM_setValue
// @grant GM_registerMenuCommand
// ==/UserScript==
var encKey = GM_getValue ("encKey", "");
var usr = GM_getValue ("lognUsr", "");
var pword = GM_getValue ("lognPwd", "");
if ( ! encKey) {
encKey = prompt (
'Script key not set for ' + location.hostname + '. Please enter a random string:',
''
);
GM_setValue ("encKey", encKey);
usr = pword = ""; // New key makes prev stored values (if any) unable to decode.
}
usr = decodeOrPrompt (usr, "U-name", "lognUsr");
pword = decodeOrPrompt (pword, "P-word", "lognPwd");
function decodeOrPrompt (targVar, userPrompt, setValVarName) {
if (targVar) {
targVar = unStoreAndDecrypt (targVar);
}
else {
targVar = prompt (
userPrompt + ' not set for ' + location.hostname + '. Please enter it now:',
''
);
GM_setValue (setValVarName, encryptAndStore (targVar) );
}
return targVar;
}
function encryptAndStore (clearText) {
return JSON.stringify (sjcl.encrypt (encKey, clearText) );
}
function unStoreAndDecrypt (jsonObj) {
return sjcl.decrypt (encKey, JSON.parse (jsonObj) );
}
//-- Add menu commands that will allow U and P to be changed.
GM_registerMenuCommand ("Change Username", changeUsername);
GM_registerMenuCommand ("Change Password", changePassword);
function changeUsername () {
promptAndChangeStoredValue (usr, "U-name", "lognUsr");
}
function changePassword () {
promptAndChangeStoredValue (pword, "P-word", "lognPwd");
}
function promptAndChangeStoredValue (targVar, userPrompt, setValVarName) {
targVar = prompt (
'Change ' + userPrompt + ' for ' + location.hostname + ':',
targVar
);
GM_setValue (setValVarName, encryptAndStore (targVar) );
}
// ADD YOUR CODE TO SET THE USERNAME AND PASSWORD ON THE LOGIN PAGE, HERE.
† 重要:
- 使用用户脚本登录始终存在风险。
- 这个框架大大降低了风险,但Greasemonkey和Tampermonkey可用的存储机制并不安全,浏览器供应商 CYA反对存储机密信息。如果坏人 您的用户脚本和您的浏览器数据,那么他可以对您的密码进行反向工程。当然,如果他有这个,他最有可能是你的一台机器。
- 聪明的事情是使用密码管理器,如 LastPass , KeePass 等。
- 绝对最糟糕的事情,是将凭据存储在用户脚本中。即使是客人也可以看到他们然后你会被黑客保证。
- Logging in with a userscript always carries risk.
- This framework greatly reduces that risk, but the storage mechanisms available to Greasemonkey and Tampermonkey are not secure and browser vendors CYA against storing confidential information. If a bad guy gets both your userscript and your browser data, then he can reverse engineer your password. Of course if he has that, he's most likely pwned one of your machines anyway.
- The smart thing to do is to use a password manager like LastPass, KeePass, etc.
- The absolute worst thing to do, is to store credentials in a userscript itself. Even a guest can see them then and you will be "hacked", guaranteed.
这篇关于在安装时在Greasemonkey脚本中存储用户登录/密码输入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
