堆栈内存溢出
  简体   繁体   English

如何存储命令行工具的敏感信息?

[英]How to Store Sensitive Information for a Command Line Tool?

 原文  2016-12-23 23:22:37       node.js/ command-line/ client

问题描述

Let's say you build a client that sits on top of an API that requires an access token. 假设您构建的客户端位于需要访问令牌的API之上。 Users of the client can plug in their access token, and life is great. 客户端的用户可以插入他们的访问令牌,生活很美好。

Let's say you want to build a simple command line tool that executes commands that use this client. 假设您要构建一个简单的命令行工具来执行使用此客户端的命令。 And let's say you want to make this tool externally accessible via some package management system (eg npm, pypi, etc.). 假设您想通过某些软件包管理系统(例如npm,pypi等)从外部访问此工具。

Is there a way to do this without exposing the access token that the command line tool would be using? 有没有一种方法可以在不暴露命令行工具将使用的访问令牌的情况下做到这一点?

Obviously, you could have every user of this command line tool input their own access token vs. using the application's access token. 显然,您可以让此命令行工具的每个用户输入自己的访问令牌,而不是使用应用程序的访问令牌。

1 个解决方案

解决方案1
 0  2016-12-23 23:56:55

If you prefer to restrict who can download your tool and leave the application access token in, you could use Artifactory or a similar product to set up a private repository. 如果您希望限制谁可以下载工具并保留应用程序访问令牌,则可以使用Artifactory或类似产品来建立私有存储库。 The downside (besides not being able to do anything about unauthorized redistribution) is that your users will need to add their authentication details to their .npmrc or similar in order to connect to the private repo, so you're really just putting the problem at one remove. 缺点(除了无法进行未经授权的再分发以外)是用户需要将其身份验证详细信息添加到其.npmrc或类似内容中才能连接到私有存储库,因此您实际上只是在解决问题一删除。 And if you're going through npm you'll need to scope your package names or make users juggle multiple registries. 而且,如果您要通过npm,则需要确定软件包名称的范围或使用户使用多个注册表。

Your tool could also read a config file on startup and get the user access token from that, like how you would read connection information for a local database. 您的工具还可以在启动时读取配置文件,并从中获取用户访问令牌,就像您如何读取本地数据库的连接信息一样。 The configuration file isn't distributed, or is shipped as a sample with the intention for the end user to edit their details in before use. 配置文件未分发,或作为示例提供,供最终用户在使用前编辑其详细信息。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在Node.js命令行应用程序中存储有关分离的子进程的信息 - how to store information about detached child process in nodejs command line application 如何取消npm命令行工具的链接? - How to unlink a npm command-line tool? 如何在gulp中组合文件名以用作命令行工具的参数? - How to combine filenames in gulp to use as arguments for a command line tool? 如何对使用命令行参数的工具进行单元测试 - How to unit test a tool that uses command-line-args 如何创建一个可以全局安装的nodejs命令行工具? - How to create a nodejs-command-line-tool that it can be installed globally? 如何查看NodeJS命令行工具的可用选项? - How can I view the available options for a NodeJS command line tool? 用节点编写命令行工具 - Writing command line tool with node 未在 Swift 命令行工具中接收 DistributedNotificationCenter - Not receiving DistributedNotificationCenter in Swift Command Line Tool Express JS 4.0命令行工具无法正常工作 - Express JS 4.0 command line tool not working node.js命令行工具 - node.js command line tool
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM