在Chrome扩展程序中强制代理重新身份验证 [英] Force Proxy re-authentication in Chrome Extension
问题描述
我正在做一个扩展,允许用户存储具有身份验证凭据(用户/通过)的代理服务器,并在服务器之间进行切换.我正在监听webRequest.onAuthRequired事件,并且当服务器要求进行身份验证时,按照此处的provideCredentialsSync示例,证明用户已保存的用户名/密码:
I'm making an extension which allows users to store proxy servers with auth credentials (user/pass) and switch between servers. I am listening for the webRequest.onAuthRequired event and when the server challenges for auth, proving the username/password the user has saved, as per the provideCredentialsSync example here: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest/onAuthRequired#Examples
问题在于,提供这些凭据后,它们似乎会保存/缓存在开发人员无法访问的扩展中的某个位置,然后不断重复使用.因此,如果扩展用户然后将其凭据更改为不正确,则浏览器会自动在其Proxy-Authorization标头中继续使用经过身份验证的凭据,并且请求成功.反之亦然,如果身份验证失败,并且按照上述示例取消了请求,则用户将其凭据更改为正确的,服务器不再再次挑战身份验证,并且请求失败,无法提供新凭据.
The problem is that when these credentials are provided, they seem to get saved/cached somewhere in the extension that the developer does not have access to, and then are continually re-used. So, if the extension user then changes their credentials to be incorrect, the browser automatically keeps using the authenticated creds in it's Proxy-Authorization header and the request succeeds. Vice-versa, if authentication fails, and the request is cancelled as per the above example, then the user changes their creds to be correct, the server does not challenge for authentication again and the request fails with no way to offer the new creds.
Chrome也不允许修改传出的Proxy-Authorization标头,这意味着无法在代码中删除/更改标头,以强制服务器再次发起挑战.
Chrome also does not allow modification of the outgoing Proxy-Authorization header, meaning it cannot be deleted/changed in the code to force the server to challenge again.
所以我想核心问题是:
-
有没有人知道从网站返回的详细信息在哪里保存
webRequest.onAuthRequired侦听器,有没有办法 清除/清除?
Does anyone know where the details are saved when returned from the
webRequest.onAuthRequiredlistener, and is there a way to clear/purge?
返回{cancel: true}时实际发生的情况以及为什么对该服务器的所有请求然后继续失败而没有触发
另一个onAuthRequired?
What actually happens when {cancel: true} is returned and why do all requests to that server then continue to fail without firing
another onAuthRequired?
感谢任何人都能散发出来的光!
Thanks for any light anyone can shed!
推荐答案
问题在于,提供这些凭据后,它们似乎会保存/缓存在开发人员无法访问的扩展中的某个位置,然后不断重复使用
The problem is that when these credentials are provided, they seem to get saved/cached somewhere in the extension that the developer does not have access to, and then are continually re-used
不完全是...代理服务器不会在每个连接请求上发送Auth请求(需要407代理身份验证).他们经常定期检查(取决于他们的设置).
Not exactly... Proxy servers do NOT send Auth requests (407 Proxy Authentication Required) on every connection request. They often check that periodically (depending on their set-up).
浏览器也可以缓存(例如,在Firefox中自动登录但Chrome没有的情况下.)
Browser also may cache (for example in case of Auto-Login in Firefox but Chrome doesn't have it).
有人知道从webRequest.onAuthRequired侦听器返回时将详细信息保存在何处吗?
Does anyone know where the details are saved when returned from the webRequest.onAuthRequired listener, and is there a way to clear/purge?
重要的一点是,如果先前的凭据正确,则客户端无需将不同的凭据发送到同一服务器.
The important point is, there is no need for a client to send a different credentials to the same server if the previous one was correct.
服务器请求凭据:
- 如果传递了正确的密码,则允许这样做,并且服务器和浏览器都将其保留一会儿
- 如果传递了错误的密码,则浏览器不会保留该密码,但服务器可能会阻止 重复尝试一段时间,然后重新请求身份验证
- if correct ones are passed, it is allowed and both server and browser keep that for a while
- if wrong ones are passed, browser doesn't keep it but server may block repeated attempts for a while and then re-request authentication
您可以删除&重新启动webRequest.onAuthRequired,但是就我个人而言,我并没有真正需要这样做,除非我在开发期间通过有意发送错误的凭据来测试错误的身份验证结果时不这样做,客户端不应该这样做.
You can remove & restart webRequest.onAuthRequired but personally I haven't found a real need to do so for new credentials, except when I was testing bad-authentication results during development by intentionally sending wrong credential which should NOT be the case for client use.
webRequest.onAuthRequired.您可以尝试对其进行记录,以查看服务器执行该操作的频率.
webRequest.onAuthRequired is fired whenever server requests it. You can try logging it to see how often the server does it.
扩展代码(我的意思是开发人员代码,而不是浏览器)也可以缓存凭据(以避免进行异步调用并降低身份验证速度,从而降低连接速度).
Extension code (I mean the developer code, not the browser) may also cache credential (to avoid making async calls and slowing down the authentication and therefore the connection).
我个人会缓存所有代理的所有凭据,然后相应地响应身份验证请求.否则,您可以更改扩展代码缓存对象和/或删除&重新启动webRequest.onAuthRequired.
Personally, I cache all credentials for all proxies and then respond to auth requests accordingly. Otherwise, you can change the extension code caching object and/or remove & restart webRequest.onAuthRequired.
返回{cancel:true}时实际上会发生什么,为什么对该服务器的所有请求又继续失败而又不触发另一个onAuthRequired?
What actually happens when {cancel: true} is returned and why do all requests to that server then continue to fail without firing another onAuthRequired?
这取决于扩展代码和服务器设置.身份验证失败后,服务器设置可能会在一段时间内阻止连接(以防止Ddos攻击).
That depends on both extension code and server settings. Server settings may block connections for a period of time after unsuccessful authentication (to prevent Ddos attacks).
扩展代码还可以在发送{cancel: true}之前终止连接,从而检查正确的身份验证.实际上,很少需要发送{cancel: true}.
Extension code can also check for the right authentication before sending {cancel: true} which kills the connection. In practise, sending {cancel: true} is rarely needed.
还有可能进入错误身份验证循环,这将导致连接失败并锁定浏览器.
There is also a possibility of getting into bad-authentication loop which will cause the connection to fail and can lock up the browser.
在chrome中,我将使用(必须使用&必须使用)Promise,这是进行身份验证的正确方法,因为代码将停止执行直到承诺被解决.使用回调函数(chrome API使用的回调函数)无法做到这一点,这可能是导致问题的原因.
In chrome, I would use (do use & must use) a Promise which is the right way to authenticate as the code stops executing until promise is resolved. Using a callback function (that chrome API uses) does not do that which could be the cause of your problem.
为简化起见:
- 添加
webRequest.onAuthRequired - 根据身份验证请求,启动
new Promise以获取正确的凭据 - 为避免身份验证失败循环做准备
- add
webRequest.onAuthRequired - On Auth request, start a
new Promiseto get the correct credentials - Prepare for avoiding Bad-Authentication loop
这篇关于在Chrome扩展程序中强制代理重新身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
