API令牌安全性角度应用 [英] API Token Safety in Angular application

问题描述

我建立与API后端的角度应用程序。在咨询件的组合，我建的API与令牌认证的味道。流程大致如下：

I'm building an Angular app with an API backend. On a combination of pieces of advice, I built the API with a flavor of token authentication. The flow is roughly as follows:

1. POST登录端点凭据


2. 验证凭证和授权，然后生成一个新的令牌


3. 返回令牌客户端


4. 客户端通过HTTP Basic使用令牌访问API资源

这是一切正常。问题出现在创建基于此令牌的会话。我不认为我应该简单地持有一个cookie中的客户端上的道理，但我确实需要一个会话页面刷新，等我的角应用是无状态的，并通过API调用完全填充之间持续。

This is all working well. The problem arises in creating a session based on this token. I don't believe I should simply hold the token on the client in a cookie, but I do need a session to persist between page refreshes, etc. My Angular app is stateless and completely populated via API calls.

我正在寻找一个建议，因为挂到该令牌在客户端上。我觉得有危险在拿着令牌在Cookie因为cookie可能被窃取，并简单地用作别人进行身份验证，但也许这是不正确。

I'm looking for a recommendation as to hanging on to this token on the client. I feel there's danger in holding the token in a cookie because the cookie could be stolen and simply used to authenticate as someone else, but perhaps this is incorrect.

在此先感谢您的帮助！

推荐答案

自一个角度应用程序，我会承担所有经过验证的方法将只提供给Ajax请求的（你可以告诉你的服务器只阿贾克斯回应）这种情况下，CORS将帮助你。

Since its an Angular app, I'd assume all authenticated methods will only be served to ajax requests (you can tell your server to only respond to ajax) in which case CORS will help you.

只有这样，才能完全安全为HTTPS，但这种方法可能比你想象的更安全。阅读上CORS一点更多的信息，但本质上的想法是，服务器将只从同一域分别担任的HTML页面来响应Ajax请求。

The only way to be completely secure is HTTPS, however this method is probably more secure than you think. Read up on CORS a bit for more info, but essentially the idea is that servers will only respond to ajax requests coming from html pages that were served by that same domain.

pre-航班选择请求通常发送到验证这一点。浏览器发送一个OPTIONS实际请求之前的Origin标头（在页面的由来）要求。如果原点的服务器接收它的域相匹配，后续请求被允许。否则，它违反了同源策略，将被拒绝。

Pre-flight OPTIONS requests are often sent to verify this. The browser sends an OPTIONS request with an Origin header (the origin of the page) before the actual request. If the origin matches the domain of the server receiving it, the subsequent request is allowed. Otherwise, it violates the Same Origin Policy and will be rejected.

这prevents有人嗅出令牌和发送带有从页面标记你的服务器没有服务（如东西就黑客本地机器上运行）的请求。

This prevents someone from sniffing out the token and sending a request with the token from a page that your server didn't serve (like something running on the hackers local machine).

如果你正在做信用卡交易或任何超级安全，你应该尽管使用HTTPS。

If you are doing credit card transactions or anything super secure, you should use HTTPS though.

http://en.wikipedia.org/wiki/Cross-origin_resource_sharing

这篇关于API令牌安全性角度应用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！