node js - 如何安全地将令牌从 http get 请求传递到 html 页面?
[英]node js - How to safely pass token from http get request to html page?
问题描述
I am working on implementing my own custom password reset that sends an email where the user is taking to a page to reset their password.
我正在实施我自己的自定义密码重置,它会发送一封电子邮件,用户将在其中访问页面以重置他们的密码。
So far I have generated a unique token that gets put in an http get request link and emailed to the user.到目前为止,我已经生成了一个独特的令牌,它被放入一个 http get 请求链接并通过电子邮件发送给用户。
When the user clicks the link (example mywebsite.com/verifypasswordreset?id=96rZyAWLTu )当用户单击链接时(例如mywebsite.com/verifypasswordreset?id=96rZyAWLTu )
I have an express route that gets the token:我有一条获取令牌的快速路线:
//Verify Password Reset
app.get('/verifypasswordreset', function(req, res) {
Parse.Cloud.run('verifyPasswordReset', { token: req.param("id") }, {
success: function(user) {
res.sendFile(path.join(__dirname + '/website/resetpassword.html'));
},
error: function(error) {
res.sendFile(path.join(__dirname + '/website/404.html'));
}
});
});
I then run a Parse cloud code function that validates if the token exists and if so it responds by sending the html that contains a form for resetting the password.然后我运行一个 Parse 云代码函数来验证令牌是否存在,如果存在,它通过发送包含用于重置密码的表单的 html 进行响应。 ( resetpassword.html ) ( resetpassword.html )
At this point resetpassword.html page's url still has the token embedded in it ( mywebsite.com/verifypasswordreset?id=96rZyAWLTu ) however, as soon as the user submits the form, it does a http post and posts the new password, leaving the token behind in the link and thus I don't know which token is associated with the password reset?此时, resetpassword.html页面的 url 中仍然嵌入了令牌 ( mywebsite.com/verifypasswordreset?id=96rZyAWLTu ) 然而,一旦用户提交表单,它就会发送一个 http 帖子并发布新密码,留下链接后面的令牌,因此我不知道哪个令牌与密码重置相关联?
//Reset Password
app.post('/resetpassword', function(req, res) {
res.send('You sent the password "' + req.body.password + '".');
});
When the user submits the form to change their password, how can somehow get the token from the current url ( mywebsite.com/verifypasswordreset?id=96rZyAWLTu ) and include it in the http post request so my node js app can read it and knows which token is associated with the password reset?当用户提交表单以更改其密码时,如何以某种方式从当前 url ( mywebsite.com/verifypasswordreset?id=96rZyAWLTu ) 获取令牌并将其包含在 http post 请求中,以便我的 node js 应用程序可以读取它并知道哪个令牌与密码重置相关联?
Or alternatively, is their a better & safer way to keep track of the token?或者,他们是跟踪令牌的更好和更安全的方法吗?
*note ignore that I am using http I am going to buy an SSL certificate and use https before launch. *注意忽略我正在使用 http 我将购买 SSL 证书并在启动前使用 https。
1 个解决方案
解决方案1
1 已采纳 2016-04-29 11:08:50
I don't see the point of validating the token when you are simply sending a resetpassword.html page.当您只是发送一个 resetpassword.html 页面时,我看不到验证令牌的意义。 However, the token MUST be validated when actually updating the password for a user.但是,在实际更新用户密码时必须验证令牌。 So, here's a slightly modified workflow:所以,这里有一个稍微修改的工作流程:
User clicks the link (example mywebsite.com/passwordreset?id=96rZyAWLTu)用户单击链接(例如 mywebsite.com/passwordreset?id=96rZyAWLTu)
app.get('/passwordreset', function(req, res) {
res.sendFile(path.join(__dirname + '/website/resetpassword.html'));
});
Your resetpassword page's URL still has the token embedded.您的 resetpassword 页面的 URL 仍然嵌入了令牌。 Now, user submits the form, it does a http post and posts the new password.现在,用户提交表单,它会发送一个 http 帖子并发布新密码。
app.post('/passwordreset', function(req, res) {
Parse.Cloud.run('verifyPasswordReset', { token: req.param("id") }, {
success: function(user) {
//update user's password here
res.send('You sent the password "' + req.body.password + '".');
},
error: function(error) {
res.sendFile(path.join(__dirname + '/website/error.html'));
}
});
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.