文件下载的角度和智威汤逊 [英] File download in Angular and JWT
问题描述
TL; DR
如何下载/保存使用的角度和智威汤逊的认证文件不留记号线索在浏览器?
How to download/save a file using Angular and JWT authentication without leaving a token trail in the browser?
我的角/节点应用程序被固定在HTTPS和使用智威汤逊进行身份验证。在智威汤逊存储在sessionStorage和Authorization头域通过了所有的AJAX请求到服务器。
My Angular/Node app is secured over HTTPS and uses JWT for authentication. The JWT is stored in sessionStorage and passed in the Authorization header field for all AJAX requests to the server.
我需要的功能在应用程序中下载一个文件,以便它由浏览器自动保存(或弹出显示的保存位置等)。
I need functionality in the app to download a file so that it's automatically saved by the browser (or a popup displayed where to save etc.).
这应该能够运行角度任何浏览器的工作理想。
It should work ideally in any browser that can run Angular.
我已经看过了以下内容:
I have looked at the following:
AJAX请求。由于固有的安全措施$ P $这不起作用,从本地保存文件pventing浏览器。
AJAX requests. This doesn't work because of inherent security measures preventing a browser from saving a file locally.
传智威汤逊在一个Cookie - 饼干是我想要的东西,以避免使用,因此使用sessionStorage的原因
Pass the JWT in a Cookie - cookies are something I want to avoid using, hence the reason for using sessionStorage.
传智威汤逊在查询字符串但是这意味着它会被记录在服务器日志中,更重要的是可以看出,在浏览器历史记录。
Pass the JWT in a query string but this means it will be logged in the server logs, and more importantly can be seen in browser history.
IFRAME包含一个表格,并将数据。不能设置一个头用此方法
iframe that contains a form that POSTS the data. Can't set a header with this method.
任何其他的选择吗?
推荐答案
网上淘的解决方案,并没有找到任何令人满意后,我终于到达了一个使用比特和建议件来自全国各地的解决方案。
After scouring the web for solutions and not finding anything satisfactory, I finally arrived at a solution that uses bits and pieces of advice from all over.
希望这可以帮助别人寻找一个安全的解决方案。
Hope this helps someone looking for a secure solution.
我用了iframe溶液Bagofjuice描述的那样,但使用jquery.filedownload插件(见的https:/ /github.com/johnculviner/jquery.fileDownload )。
I used the iframe solution as described by Bagofjuice, but using the jquery.filedownload plugin (see https://github.com/johnculviner/jquery.fileDownload).
这是我做的事,以确保这个请求:
This is what I did to secure this request:
当用户点击下载按钮或链接,我请求新的令牌服务器(创建一个专用服务器API调用此),我追加作为查询字符串的文件下载网址,然后使用filedownload插件下载的文件。请注意,此令牌有,因为它被立即用于下载文件而不应被多次使用非常短的到期时间。
When a user clicks the download button or link, I request a new token from the server (created a dedicated server API call for this) that I append as a query string to the file download url and then use the filedownload plugin to download the file. Note that this token has a very short expiration time since it is used immediately to download the file and should not be used more than once.
然后在服务器端,当一个标记来经由查询参数,我所服务的响应,并立即过期令牌(除了所述期满时间,以消除即使是最小的窗口的开采)。
Then on the server side, when a token comes via a query parameter, I serve the response and expire the token immediately (in addition to the expiration time to eliminate even the smallest of windows for exploitation).
工艺进行即时到期可能有所不同。我使用的是,当我创建这个临时令牌,我将其存储在内存中缓存并在第一次使用,我从缓存中删除。如果没有在缓存中,当我通过一个要求接受它,我认为这是一个无效的令牌。这prevents从通过查询参数被多次使用的令牌。因此,它并不重要,如果这是记录在服务器端的日志或留下痕迹在浏览器上。对于Web农场,你可以很容易地存储这个分布式的缓存。
Technics for instant expiration can vary. The one I used is that when I create this temporary token, I store it in an in-memory cache and upon first usage, I remove it from the cache. If it does not exist in the cache when I receive it via a request, I consider it an invalid token. This prevents the token from being used more than once via a query parameter. Thus, it does not matter if this is logged in server side logs or leaves a trail on the browser. For web farms, you can easily store this in a distributed cache.
这篇关于文件下载的角度和智威汤逊的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
