JSON Web令牌(JWT)作为用于激活电子邮件的URL [英] JSON Web Token (JWT) as a url for email activation

问题描述

将JWT用作电子邮件中的激活URL有多安全?

How secure it is to make JWT as the activation url in email?

例如: 点击链接激活您的帐户 http://127.0.0.1:8000/account/activate/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ0b3B0YWwuY29tIiwiZXhwIjoxNDI2NDIwODAwLCJodHRwOi8vdG9wdGFsLmNvbS9qd3RfY2xhaW1zL2lzX2FkbWluIjp0cnVlLCJjb21wYW55IjoiVG9wdGFsIiwiYXdlc29tZSI6dHJ1ZX0.yRQYnWzskCZUxPwaQupWkiUzKELZ49eM7oWxAQK_ZXw

For example: Click link to activate your account http://127.0.0.1:8000/account/activate/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ0b3B0YWwuY29tIiwiZXhwIjoxNDI2NDIwODAwLCJodHRwOi8vdG9wdGFsLmNvbS9qd3RfY2xhaW1zL2lzX2FkbWluIjp0cnVlLCJjb21wYW55IjoiVG9wdGFsIiwiYXdlc29tZSI6dHJ1ZX0.yRQYnWzskCZUxPwaQupWkiUzKELZ49eM7oWxAQK_ZXw

推荐答案

URL中JWT令牌的用例是:

Use-cases for a JWT token in a url are:

• 帐户验证-当您在网站上注册后向某人发送电子邮件链接时. https://yoursite.co/account/verify?token=jwt.goes.here
• 密码重设-确保重设密码的人可以访问属于该帐户的电子邮件. https://yoursite.co/account/reset-password?token=jwt .goes.here

• account verification - when you email a person a link after they register on your site. https://yoursite.co/account/verify?token=jwt.goes.here
• password re-set - ensures that the person re-setting the password has access to the email belonging to the account. https://yoursite.co/account/reset-password?token=jwt.goes.here

这两种都是一次性令牌的良好候选者(单击它们后将过期).

Both of these are good candidates for single-use tokens (which expire after they have been clicked).

是的，是的.只需确保每个电子邮件只能激活一次即可(并且不要使用示例中可怕的秘密"密钥，如果可以伪造签名，则可以跳过验证).

So, yes. Just make sure that each email can be activated only once (and don't use the terrible "secret" key from your example, if the signature can be faked, then your verification can be bypassed).

这篇关于JSON Web令牌(JWT)作为用于激活电子邮件的URL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！