堆栈内存溢出
  简体   繁体   English

AngularJS和苗条框架JWT身份验证和令牌刷新流程

[英]Angularjs and slim framework JWT authentication and token refresh flow

 原文  2015-08-23 06:07:56       php/ angularjs/ authentication/ slim/ jwt

问题描述

I would like to know if what I've done so far is a sound way of authenticating/renewing the token and if there are any flaws or vulnerabilities that I should be aware of as I tried to limit database interaction to nil. 我想知道到目前为止,我是否做过一种可靠的身份验证/续订令牌的方法,以及在尝试将数据库交互限制为零时是否应该意识到任何缺陷或漏洞。 Here goes. 开始。

  1. The user authenticates via normal Username/password or via Facebook 用户通过普通用户名/密码或通过Facebook进行身份验证
  2. The PHP backend generates a token with an expiration time of 30 minutes and sends it to the angularjs client PHP后端生成一个令牌,令牌的到期时间为30分钟,并将其发送到angularjs客户端
  3. The JWT token gets stored in $localStorage JWT令牌存储在$ localStorage中
  4. The JWT token is injected, with the help of an interceptor, in every request header 在拦截器的帮助下,将JWT令牌注入每个请求标头中
  5. All the Slim routes that need authentication check the sent token with the help of a middleware. 所有需要身份验证的Slim路由都借助中间件检查发送的令牌。
  6. If the token is invalid (expired, has been tampered with, is not suitable for that particular role), Slim will respond with a 401/403 error. 如果令牌无效(过期,已被篡改,不适合该特定角色),Slim将响应401/403错误。
  7. An angular service checks every minute if the token is about to expire 角度服务会每分钟检查一次令牌是否即将到期
  8. If the token is about to expire (5 to 1 minutes left), the service posts the old token to another API endpoint. 如果令牌即将到期(还剩5到1分钟),则该服务会将旧令牌发布到另一个API端点。
  9. The API endpoint checks the validity of the token and responds with a new one with an expiry time of +30 mins. API端点检查令牌的有效性,并以+30分钟的有效时间响应新令牌。
  10. The polling service I mentioned before replaces the old token in $localStorage. 我之前提到的轮询服务替换了$ localStorage中的旧令牌。
  11. Rinse and repeat. 冲洗并重复。

NB: SSL will be implemented in production 注意:SSL将在生产中实施

Bounty awarded to @Valdas as he was the only one who actually answered 赏金授予@Valdas,因为他是唯一实际回答的人

1 个解决方案

解决方案1
 5 已采纳  2015-08-25 11:36:49

There is no need to loop token expiration checking. 无需循环令牌过期检查。 I use https://github.com/auth0/angular-jwt as a library for my Angular projects, which provides a way to refresh token just before the HTTP request is fired, simplifying auth mechanism. 我将https://github.com/auth0/angular-jwt用作我的Angular项目的库,该库提供了一种在触发HTTP请求之前刷新令牌的方法,从而简化了auth机制。

Also, you could remove token from request if its loading a template (ends with .html), but this is just a personal preference. 另外,如果令牌加载了模板(以.html结尾),则可以从请求中删除令牌,但这只是个人喜好。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Slim 框架:无法使用 JWT 令牌 - Slim Framework : unable to use JWT token 使用Slim Framework jwt身份验证的angular2 - angular2 with Slim framework jwt authentication laravel / angularjs JWT令牌刷新 - laravel / angularjs JWT token refresh 刷新jwt令牌laravel和angularJs - refresh jwt token laravel and angularJs PHP Slim API中的查询字符串JWT JSON Web令牌认证 - Query string JWT JSON Web Token Authentication in PHP Slim API 部分网址需要在苗条3 php框架上进行JWT身份验证 - partial url needs JWT authentication on slim 3 php framework PHP Slim解码JWT令牌 - PHP Slim decoding JWT token Slim Framework身份验证 - Slim Framework authentication Slim框架JWT中间件问题 - Slim framework JWT middleware Issue JWT 401:在 Slim 3 框架中未经授权 - JWT 401: Unauthorized in Slim 3 framework
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM