JSON Web令牌(JWT)作为用于激活电子邮件的URL [英] JSON Web Token (JWT) as a url for email activation
问题描述
将JWT用作电子邮件中的激活URL有多安全?
How secure it is to make JWT as the activation url in email?
For example: Click link to activate your account http://127.0.0.1:8000/account/activate/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ0b3B0YWwuY29tIiwiZXhwIjoxNDI2NDIwODAwLCJodHRwOi8vdG9wdGFsLmNvbS9qd3RfY2xhaW1zL2lzX2FkbWluIjp0cnVlLCJjb21wYW55IjoiVG9wdGFsIiwiYXdlc29tZSI6dHJ1ZX0.yRQYnWzskCZUxPwaQupWkiUzKELZ49eM7oWxAQK_ZXw
推荐答案
URL中JWT令牌的用例是:
Use-cases for a JWT token in a url are: 这两种都是一次性令牌的良好候选者(单击它们后将过期). Both of these are good candidates for single-use tokens (which expire after they have been clicked). 是的,是的.只需确保每个电子邮件只能激活一次即可(并且不要使用示例中可怕的秘密"密钥,如果可以伪造签名,则可以跳过验证). So, yes. Just make sure that each email can be activated only once (and don't use the terrible "secret" key from your example, if the signature can be faked, then your verification can be bypassed). 这篇关于JSON Web令牌(JWT)作为用于激活电子邮件的URL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!