使用dropboxjs通过oauth对客户端进行身份验证2.服务器如何？ [英] Using dropboxjs to authenticate the client with oauth 2. What about the server?

问题描述

我是Oauth和服务器端人员的新手，所以请耐心等待。

I'm new to Oauth and server-side stuff, so please be patient with me.

我有一个Web应用程序，可以通过 dropbox-js 。一切都非常简单。该应用程序使用dropbox-js的 client.authenticate 函数，如果用户通过了身份验证，则该应用程序将自动重定向到初始页面，并在其中执行身份验证回调。从那一刻起，我就知道我已经通过Dropbox进行了愉快的身份验证，并且可以使用该应用程序的Dropbox目录进行操作。

I have a web application that authenticates users with dropbox-js. Everything is pretty straightforward. The application uses dropbox-js' client.authenticate function, and if the user is authenticated, the application gets automatically redirected to the initial page, where it executes the authenticate callback. From that moment on, I know I'm happily authenticated with Dropbox, and I can do stuff with the app's Dropbox directory.

我有一个公共的node.js服务器，目前无所作为。我想做的是：

I got a public node.js server that currently does nothing. What I would like to do is:

• 客户端通过身份验证后，立即致电我的服务器，告诉用户该用户已通过身份验证


• 如果服务器数据库上不存在该用户，请为其创建一个用户数据库条目（我不需要详细的说明）。如果存在，则发回用户的关联数据。

如何安全地做到这一点？我的意思是，服务器如何分辨该用户是有效的Dropbox用户？服务器是否应该使用用户凭据向其Dropbox进行身份验证？在这些情况下，工作流程是什么？

How can I do that in a secure way? I mean, how can the server tell that the user is a valid Dropbox user? Should the server authenticate to Dropbox on its side with the user credentials? What is the workflow in these cases?

推荐答案

在身份验证过程结束时，您将具有访问令牌，即用于调用API。如果客户端和服务器都需要对API进行调用，那么两者都将需要具有访问令牌。

At the end of the authentication process, you have an access token, which is what's used to make calls to the API. If both the client and the server need to make calls to the API, then both will need to have the access token.

如果您正在进行身份验证客户端今天，您可以以某种方式拉出访问令牌（不知道它是否/如何从库中公开，但是它在某个地方，也存储在本地存储中）并将其传递给服务器。然后，服务器可以使用它来调用 / account / info 并获取经过身份验证的用户的Dropbox用户ID。

If you're doing the authentication client-side today, you could pull the access token out somehow (not sure if/how it's exposed from the library, but it's in there somewhere and also storaged in local storage) and pass it to the server. The server can then use it to call /account/info and get the Dropbox user ID of the authenticated user.

另一种方法是相反的方法。使用代码流（而不是令牌流）对用户进行身份验证，并首先在服务器上获取访问令牌。然后，您可以将其传递给客户端，并作为 Dropbox.Client 构造函数。我认为 dropbox-js 本身就支持此功能，但是自己做起来也不难。这是一些原始的Express代码，可以登录用户并显示其姓名：

An alternative is to do it the other way around. Authenticate the user with the "code flow" (rather than "token flow") and get the access token on the server in the first place. Then you could pass it down to the client and pass it as an option in the Dropbox.Client constructor. I think that dropbox-js supports this itself, but it's also not hard to do yourself. Here's some raw Express code that logs in a user and displays his or her name:

var crypto = require('crypto'),
    express = require('express'),
    request = require('request'),
    url = require('url');

var app = express();
app.use(express.cookieParser());

// insert your app key and secret here
var appkey = '<your app key>';
var appsecret = '<your app secret>';

function generateCSRFToken() {
    return crypto.randomBytes(18).toString('base64')
        .replace(/\//g, '-').replace(/\+/g, '_');
}
function generateRedirectURI(req) {
    return url.format({
            protocol: req.protocol,
            host: req.headers.host,
            pathname: app.path() + '/callback'
    });
}

app.get('/', function (req, res) {
    var csrfToken = generateCSRFToken();
    res.cookie('csrf', csrfToken);
    res.redirect(url.format({
        protocol: 'https',
        hostname: 'www.dropbox.com',
        pathname: '1/oauth2/authorize',
        query: {
            client_id: appkey,
            response_type: 'code',
            state: csrfToken,
            redirect_uri: generateRedirectURI(req)
        }
    }));
});

app.get('/callback', function (req, res) {
    if (req.query.error) {
        return res.send('ERROR ' + req.query.error + ': ' + req.query.error_description);
    }

    // check CSRF token
    if (req.query.state !== req.cookies.csrf) {
        return res.status(401).send(
            'CSRF token mismatch, possible cross-site request forgery attempt.'
        );
    } else {
        // exchange access code for bearer token
        request.post('https://api.dropbox.com/1/oauth2/token', {
            form: {
                code: req.query.code,
                grant_type: 'authorization_code',
                redirect_uri: generateRedirectURI(req)
            },
            auth: {
                user: appkey,
                pass: appsecret
            }
        }, function (error, response, body) {
            var data = JSON.parse(body);

            if (data.error) {
                return res.send('ERROR: ' + data.error);
            }

            // extract bearer token
            var token = data.access_token;

            // use the bearer token to make API calls
            request.get('https://api.dropbox.com/1/account/info', {
                headers: { Authorization: 'Bearer ' + token }
            }, function (error, response, body) {
                res.send('Logged in successfully as ' + JSON.parse(body).display_name + '.');
            });

            // write a file
            // request.put('https://api-content.dropbox.com/1/files_put/auto/hello.txt', {
            //  body: 'Hello, World!',
            //  headers: { Authorization: 'Bearer ' + token }
            // });
        });
    }
});

app.listen(8000);

这篇关于使用dropboxjs通过oauth对客户端进行身份验证2.服务器如何？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！