[英]JSON web token not storing data OR I can't access it correctly
I have a MEAN stack application that stores user information inside of a JSON Web token and I'm trying to add a value to the JSON web token for my application to reference. 我有一个MEAN堆栈应用程序,该应用程序将用户信息存储在JSON Web令牌内,并且我正在尝试向JSON Web令牌添加值,以供我的应用程序引用。 I believe the data is being stored in the JSON web token and I just can't access it, but I could be wrong.
我认为数据存储在JSON Web令牌中,但是我无法访问它,但是我可能是错的。
Here is where the JSON web Token is created server side: 这是在服务器端创建JSON Web令牌的位置:
userSchema.methods.generateJwt = function() {
console.log("I'm creating a JSON WebToken");
console.log(this.hasPaid); // HERE I CAN CLEARLY SEE THIS HAS THE VALUE I'M WANTING
var expiry = new Date();
expiry.setDate(expiry.getDate() + 7);
return jwt.sign({
_id: this._id,
email: this.email,
name: this.name,
hasPaid : this.hasPaid, // HERE IS THE VALUE I WANT
exp: parseInt(expiry.getTime() / 1000),
}, "MY_SECRET");
};
Here is my AngularJS authentication service : 这是我的AngularJS身份验证服务 :
var currentUser = function() {
if(isLoggedIn()){
var token = getToken();
var payload = token.split('.')[1];
payload = $window.atob(payload);
payload = JSON.parse(payload);
console.log(payload);
return {
email : payload.email,
name : payload.name,
hasPaid : payload.hasPaid // Here is my value
};
}
};
Then, inside my APP.JS I try to call the function: 然后,在我的APP.JS内部尝试调用该函数:
console.log(authentication.currentUser().hasPaid); // This works because when i call currentUser().name
Get token function : 获取令牌功能 :
var getToken = function () {
return $window.localStorage['mean-token'];
};
Thanks in advance! 提前致谢!
Well . 好 。 It seems to me that you will have hard time trying to decode the token client side, without using "MYSECRET" to decode it ( which is in fact a "security" feature of JWT).
在我看来,您将很难尝试解码令牌客户端,而无需使用“ MYSECRET”对其进行解码(这实际上是JWT的“安全”功能)。
A token can only be validated, changed, verified or manipulated in a any way outside the server that initially signed it 令牌只能在最初对其进行签名的服务器之外以任何方式进行验证,更改,验证或操作
EDIT : OK. 编辑 :好的。 My mistake.
我的错。 Is perfectly possible to decode PAYLOAD .
完全有可能解码PAYLOAD 。 without having the "SECRET" ( in fact is BASE64Encoded, what equals to ZERO security).
而无需使用“ SECRET”(实际上是BASE64Encoded,等于零安全性)。 What is not possible without the secret is to decode/verify the signature
没有秘密就不可能对签名进行解码/验证
Anyway, that's the reason because standard recommendation is to not save confidential/sensible/secret information on the payload of JWT. 无论如何,这就是原因,因为标准建议是不将机密/敏感/机密信息保存在JWT的有效负载上。
Saving there your the user email, roles, payment information it's a VERY HIGH security risk, because it can get stored on COOKIES and/or local storage. 将您的用户电子邮件,角色,付款信息保存在此非常安全,因为它可以存储在COOKIES和/或本地存储中。 So if an attacker can compromise the browser , can easily get this data
因此,如果攻击者可以破坏浏览器,则可以轻松获取此数据
An idea could sto store some unique id of the user that doesn't allow to login for example, a unique ID field, and maybe add some claims, like unique id's of Roles and or privileges, in somekind of secure form like MDHashed. 一个想法可能会存储一些不允许登录的唯一用户ID,例如一个唯一ID字段,并可能以MDHashed之类的安全形式添加一些声明,例如角色和特权的唯一ID。
So my suggestion for your token payload is something like: 所以我对令牌有效负载的建议是:
var crypto = require('crypto');
// some more code
var userClaims={ hasPaid: this.hasPaid}
return jwt.sign({
_id: this._id,
claims: crypto.createHash('md5').update(userClaims).digest('hex')
}, "MY_SECRET")
Note : forget my last three comments 注意 :忘记我的最后三个评论
I figured it out. 我想到了。 I apologize.
我道歉。 I was doing everything correctly if anyone wants to use this information the above functions will work.
如果有人要使用此信息,则我可以正确完成所有操作,以上功能将起作用。 However, I used a minify application and it was using the minified authentication service that I did not update.
但是,我使用了缩小应用程序,并且使用的是未更新的缩小认证服务。 Duh!!
h! Sorry guys.
对不起大家。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.