简体繁体 English

流星服务访问令牌安全性的最佳实践

[英]Best practice for security of Meteor service access tokens

原文 2014-02-15 08:19:12 2 1 security/ meteor/ access-token

There are some good answers already about how to publish access tokens of Meteor user accounts from server to client. 关于如何从服务器到客户端发布Meteor用户帐户的访问令牌，已经有了一些很好的答案。 I'm just wondering whether it's better from a security perspective to: 我只是想知道从安全角度来看是否更好：

publish the current user's access token and make the request from the client, or 发布当前用户的访问令牌并从客户端发出请求，或者
keep the tokens hidden on the server, make the API calls from there, and return the results to the client? 将令牌隐藏在服务器上，从那里进行API调用，然后将结果返回给客户端？

If this is too subjective, let me rephrase it as, from a security perspective, is there any difference in the two approaches? 如果这太主观，请允许我重新表述一下，因为从安全角度来看，这两种方法有什么区别？

Meteor's "database everywhere" philosophy suggests to me that it should be safe to publish private data, since the other user data being published would be considered private too. Meteor的“无处不在的数据库”理念向我暗示，发布私有数据应该是安全的，因为要发布的其他用户数据也将被视为私有。 On the other hand, the more places the tokens are made available, the more vectors there are for them to be stolen. 另一方面，令牌可用的位置越多，就可以窃取更多的向量。 What would you recommend, and are there more important considerations? 您会推荐什么，还有更重要的考虑因素吗？

EDIT: I suppose another consideration is that, at least for Google's REST API, you need to pass your app's client key as a parameter. 编辑：我想另一个考虑因素是，至少对于Google的REST API，您需要传递应用程序的客户端密钥作为参数。 It's probably best to keep that hidden from the end user, which would be an argument in favour of sending requests from the server. 最好将其隐藏在最终用户面前，这可能是支持从服务器发送请求的一个论据。

1 个解决方案

It would be best to avoid sending the token to the client at all if it is possible. 如果可能的话，最好完全避免将令牌发送给客户端。 This is because even if there is the slightest chance you can avoid some malicious toolbar/extension accessing your JS and accessing the token its very bad for the user and yourself. 这是因为即使有很小的机会，您也可以避免某些恶意的工具栏/扩展名访问您的JS并访问令牌，这对用户和您自己都是非常不利的。

You also have control over what the access can do. 您还可以控制访问权限。

For example if it were facebook and you published it to the client. 例如，如果它是facebook，并且您已将其发布到客户端。 It could be used to change their status for example, in your app's name. 例如，可以使用您的应用名称来更改其状态。 On the server where the token isn't exposed, this would not be possible. 在未公开令牌的服务器上，这是不可能的。

You would also not be aware of changes made from the client, whereas you always would be on the server. 您也不会知道客户端所做的更改，而您总是会在服务器上。

Unless your api has some kind of 'publishable key' then never send an access token to the client. 除非您的api具有某种“可发布的密钥”，否则切勿将访问令牌发送给客户端。

The approach in 2 where you proxy it through the server is better. 通过服务器代理的方法在2中更好。

The advantage with 1. (and pretty much the only one I can think of) is when you have some kind of usage throttling by the API provider which is per ip address (such as twitter's hosepipe). 1.（几乎是我能想到的唯一一个）的优点是，您可以通过API提供者对每个IP地址（例如twitter的水管）进行某种使用限制。