I have an Express application setup and need some advice on storing tokens.
我有一个Express应用程序设置,需要一些关于存储令牌的建议。
I am receiving an access token from an OAuth 2 server after authenticating a user account, which I then need to use for subsequent api requests.
我在验证用户帐户后从OAuth 2服务器收到访问令牌,然后我需要将其用于后续的api请求。
I want to hide the token value from the client and I believe one way of doing this is to save the token on the server in an encoded cookie so that when further requests are made, these can be routed through middleware and the cookie can then be used for retrieval of the token stored sever side and then used as a header value in the ongoing request to the actual api endpoint.
我想隐藏来自客户端的令牌值,我相信这样做的一种方法是将令牌保存在服务器上的编码cookie中,以便在进一步请求时,可以通过中间件路由这些令牌,然后cookie就可以了用于检索令牌存储的服务器端,然后用作对实际api端点的持续请求中的头值。
Someone has actually already asked this question - How to store an auth token in an Angular app This is exactly the flow I am working with in my application but the answer talks about using an Angular service and I'm not so sure I would want to do this, surely this can all be handled by Express so the client side code doesnt need to know about the token, just any errors the API server returns back.
实际上有人已经问过这个问题 - 如何在Angular应用程序中存储身份验证令牌这正是我在我的应用程序中使用的流程,但答案是关于使用Angular服务而我不太确定我想要这样做,肯定这一切都可以由Express处理,因此客户端代码不需要知道令牌,只需要知道API服务器返回的任何错误。
So summary of flow I think I need:
所以我想我需要的流程摘要:
- User submits login credentials
- OAuth 2 server returns access token
- Token is saved somewhere in Express, keyed by an id of sorts
- A cookie is generated and sent back in response to the client. Cookie contains token value encoded perhaps? Or maybe the id of token value stored in Express middleware component?
- Client makes an api request, which Express route middleware picks up.
- Express checks for presence of cookie and either decodes the token value, or somehow retrieves from storage mechanism server side.
- Token value is then used as a header between express and final api endpoint
用户提交登录凭据
OAuth 2服务器返回访问令牌
令牌被保存在Express中的某个地方,由各种ID键入
生成cookie并将其发回以响应客户端。 Cookie包含可能编码的令牌值?或者也许存储在Express中间件组件中的令牌值的id?
客户端发出一个api请求,Express路由器中间件被选中。
快速检查cookie的存在并解码令牌值,或以某种方式从存储机制服务器端检索。
然后将令牌值用作快速和最终api端点之间的标头
There is probably middleware already out there that handles this kinda thing, I have already seen PassportJS which seems to be the kinda thing I may want to use, but I'm not so sure it handles the OAuth2 token flow on the server I am working against (password grant) and instead seems to be more suited to the redirect login OAuth flow.
可能已经存在处理这种事情的中间件,我已经看过PassportJS,这似乎是我可能想要使用的东西,但我不太确定它处理我正在工作的服务器上的OAuth2令牌流反对(密码授予),而似乎更适合重定向登录OAuth流。
I surely need somewhere to save the token value in Express, so some form of storage (not in memory I dont think).
我肯定需要某处保存Express中的令牌值,所以某种形式的存储(不在内存中我不认为)。
I am fairly new to Express so would appreciate any suggestions\advice on how to approach this.
我是Express的新手,所以我会很感激任何有关如何处理此问题的建议或建议。
Thanks
1 个解决方案
#1
5
The most secure way to do this is just as you described:
最安全的方法就像你描述的那样:
- Get an OAuth token from some third party service (Google, Facebook, whatever).
- Create a cookie using Express, and store that token in the cookie. Make sure you also set the
secureandhttpOnlycookie flags when you do this: this ensures the cookie CANNOT BE READ by client-side Javascript code, or over any non-SSL connection. - Each time the user makes a request to your site, that cookie can be read by your middleware in Express, and used to make whatever API calls you need to the third party service.
从某些第三方服务(Google,Facebook等)获取OAuth令牌。
使用Express创建cookie,并将该令牌存储在cookie中。确保在执行此操作时还设置了安全和httpOnly cookie标记:这可确保cookie不会被客户端Javascript代码或任何非SSL连接读取。
每次用户向您的站点发出请求时,您的中间件都可以在Express中读取该cookie,并用于向第三方服务进行所需的任何API调用。
If your service also needs to make asynchronous requests to Google / Facebook / etc. when the user is NOT actively clicking around on your site, you should also store their token in your user database somewhere as well -- this way you can make requests on behalf of the user whenever you need to.
如果您的服务还需要在用户没有主动点击您的网站时向Google / Facebook /等发出异步请求,那么您也应该将他们的令牌存储在您的用户数据库中 - 这样您就可以在代表用户随时随地。
I'm the author of express-stormpath, a Node auth library (similar to Passport), and this is how we do things over there to ensure maximal security!
我是express-stormpath的作者,一个Node auth库(类似于Passport),这就是我们在那里做的事情,以确保最大的安全性!
#1
5
The most secure way to do this is just as you described:
最安全的方法就像你描述的那样:
- Get an OAuth token from some third party service (Google, Facebook, whatever).
- Create a cookie using Express, and store that token in the cookie. Make sure you also set the
secureandhttpOnlycookie flags when you do this: this ensures the cookie CANNOT BE READ by client-side Javascript code, or over any non-SSL connection. - Each time the user makes a request to your site, that cookie can be read by your middleware in Express, and used to make whatever API calls you need to the third party service.
从某些第三方服务(Google,Facebook等)获取OAuth令牌。
使用Express创建cookie,并将该令牌存储在cookie中。确保在执行此操作时还设置了安全和httpOnly cookie标记:这可确保cookie不会被客户端Javascript代码或任何非SSL连接读取。
每次用户向您的站点发出请求时,您的中间件都可以在Express中读取该cookie,并用于向第三方服务进行所需的任何API调用。
If your service also needs to make asynchronous requests to Google / Facebook / etc. when the user is NOT actively clicking around on your site, you should also store their token in your user database somewhere as well -- this way you can make requests on behalf of the user whenever you need to.
如果您的服务还需要在用户没有主动点击您的网站时向Google / Facebook /等发出异步请求,那么您也应该将他们的令牌存储在您的用户数据库中 - 这样您就可以在代表用户随时随地。
I'm the author of express-stormpath, a Node auth library (similar to Passport), and this is how we do things over there to ensure maximal security!
我是express-stormpath的作者,一个Node auth库(类似于Passport),这就是我们在那里做的事情,以确保最大的安全性!