Angular 应用程序中的 API 令牌安全 [英] API Token Safety in Angular application

问题描述

我正在构建一个带有 API 后端的 Angular 应用程序.根据建议的组合，我构建了具有令牌身份验证风格的 API.大致流程如下:

I'm building an Angular app with an API backend. On a combination of pieces of advice, I built the API with a flavor of token authentication. The flow is roughly as follows:

1. 使用凭据 POST 到登录端点
2. 验证凭据和授权，然后生成新令牌
3. 将令牌返回给客户端
4. 客户端通过 HTTP Basic 使用令牌访问 API 资源

这一切都运行良好.基于此令牌创建会话时会出现问题.我不认为我应该简单地将客户端上的令牌保存在 cookie 中，但我确实需要一个会话来保持页面刷新等.我的 Angular 应用程序是无状态的，完全通过 API 调用填充.

This is all working well. The problem arises in creating a session based on this token. I don't believe I should simply hold the token on the client in a cookie, but I do need a session to persist between page refreshes, etc. My Angular app is stateless and completely populated via API calls.

我正在寻找有关在客户端上保留此令牌的建议.我觉得将令牌保存在 cookie 中存在危险，因为 cookie 可能会被窃取并仅用于作为其他人进行身份验证，但也许这是不正确的.

I'm looking for a recommendation as to hanging on to this token on the client. I feel there's danger in holding the token in a cookie because the cookie could be stolen and simply used to authenticate as someone else, but perhaps this is incorrect.

预先感谢您的帮助！

推荐答案

由于它是一个 Angular 应用程序，我假设所有经过身份验证的方法都将只提供给 ajax 请求(你可以告诉你的服务器只响应 ajax)哪种情况下 CORS 会帮助您.

Since its an Angular app, I'd assume all authenticated methods will only be served to ajax requests (you can tell your server to only respond to ajax) in which case CORS will help you.

完全安全的唯一方法是 HTTPS，但是这种方法可能比您想象的更安全.阅读有关 CORS 的更多信息，但本质上的想法是服务器只会响应来自同一域服务的 html 页面的 ajax 请求.

The only way to be completely secure is HTTPS, however this method is probably more secure than you think. Read up on CORS a bit for more info, but essentially the idea is that servers will only respond to ajax requests coming from html pages that were served by that same domain.

通常会发送飞行前选项请求来验证这一点.浏览器在实际请求之前发送带有 Origin 标头(页面的来源)的 OPTIONS 请求.如果源与接收它的服务器的域匹配，则允许后续请求.否则，违反同源政策，将被拒绝.

Pre-flight OPTIONS requests are often sent to verify this. The browser sends an OPTIONS request with an Origin header (the origin of the page) before the actual request. If the origin matches the domain of the server receiving it, the subsequent request is allowed. Otherwise, it violates the Same Origin Policy and will be rejected.

这可以防止有人嗅出令牌并从您的服务器未提供服务的页面(例如在黑客本地机器上运行的内容)发送带有令牌的请求.

This prevents someone from sniffing out the token and sending a request with the token from a page that your server didn't serve (like something running on the hackers local machine).

如果您要进行信用卡交易或任何超级安全的交易，则应该使用 HTTPS.

If you are doing credit card transactions or anything super secure, you should use HTTPS though.

http://en.wikipedia.org/wiki/Cross-origin_resource_sharing

这篇关于Angular 应用程序中的 API 令牌安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！