passportjs 中的本地 Basic 和 Digest 策略有什么区别 [英] What are the differences between local Basic and Digest strategy in passportjs

问题描述

我理解Passport.js的Basic和Digest认证的区别，但是本地策略和Basic or Digest有什么区别?在所有三个中，您输入用户名和密码.基本策略是一种用户类型吗?密码认证?请澄清.

I understand the difference between Passport.js' Basic and Digest authentication, but what is the difference between the local strategy and Basic or Digest? In all three, you enter a username and password. Is the Basic strategy a type of user & password authentication? Please clarify.

推荐答案

如果我理解正确的话，Passport.js 中 Local、Basic 和 Digest 策略之间的差异很微妙但很重要.简介如下:

If I understand correctly, the differences between the Local, Basic and Digest strategies in Passport.js are subtle but important. Here's the rundown:

本地(passport-local)

Passport 的本地策略是一个简单的用户名和密码认证方案.它从用户名(或其他标识符)中找到给定用户的密码并检查它们是否匹配.本地策略与其他两种策略的主要区别在于它使用持久登录会话.此策略应通过 SSL/TLS 使用.

Passport's local strategy is a simple username and password authentication scheme. It finds a given user's password from the username (or other identifier) and checks to see if they match. The main difference between the local strategy and the other two strategies is its use of persistent login sessions. This strategy should be used over SSL/TLS.

基本(passport-http)

Passport 实施的基本策略看起来与本地策略几乎相同，只有一个细微的区别.基本策略是与架构无状态的 API 端点一起使用.因此，会话不是必需的，但可以使用.此策略还应使用 SSL/TLS.会话标志可以这样设置:

The Basic strategy implemented by Passport looks nearly identical to the local strategy, with one subtle difference. The basic strategy is to be used with API endpoints where the architecture is stateless. As a result, sessions are not required but can be used. This strategy should also use SSL/TLS. The session flag can be set like so:

app.get('/private', passport.authenticate('basic', { session: false }), function(req, res) {
  res.json(req.user);
});

摘要(passport-http)

摘要策略与其他两种策略略有不同，因为它使用特殊的质询-响应范式以避免以明文形式发送密码.当 SSL/TLS 不可用时，此策略将是一个很好的解决方案.

The digest strategy is subtly different than the other two strategies in that it uses a special challenge-response paradigm so as to avoid sending the password in cleartext. This strategy would be a good solution when SSL/TLS wouldn't be available.

这是一篇关于 Basic vs. Digest 的好文章:如何验证 API

This is a good article on Basic vs. Digest: How to Authenticate APIs

注意:所有三种策略都使会话支持成为可选.这两个passport-http策略允许您设置会话标志，而Passport docs 说的是，关于护照本地策略:

Note: All three strategies make session support optional. The two passport-http strategies allow you to set the session flag while the Passport docs say this, regarding the passport-local strategy:

请注意，启用会话支持完全是可选的，但建议大多数应用程序使用.

Note that enabling session support is entirely optional, though it is recommended for most applications.

这篇关于passportjs 中的本地 Basic 和 Digest 策略有什么区别的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！