简体繁体 English

使用Node.js在JWT中存储秘密信息-Express后端

[英]Storing secret info in JWT, using Node.js - Express backend

原文 2017-05-15 11:58:06 8 1 node.js/ security/ jwt

I am developing an Angular web app that communicates to its back-end via RESTful API. 我正在开发一个通过RESTful API与后端通信的Angular Web应用程序。 Currently I am using JWTs to store the state (current user ID, etc). 目前，我正在使用JWT来存储状态（当前用户ID等）。 I use jsonwebtoken and passport-jwt packages to implement the JWT with my Node.js-Express application. 我使用jsonwebtoken和passport-jwt软件包通过Node.js-Express应用程序实现JWT。

Sometimes I might need to store in the state some information (for example, a secret encryption key) that is relevant to the session, but that should not be known by the user. 有时，我可能需要在状态中存储与会话相关但用户不应该知道的某些信息（例如，秘密加密密钥）。

Since the JWT payload is signed but not encrypted, its contents are plainly visible to anyone who cares to decode it, it is not appropriate to store secret content directly in the payload. 由于JWT有效负载已签名但未加密，因此任何希望对其进行解码的人都可以清楚地看到其内容，因此不适合将秘密内容直接存储在有效负载中。 While I could implement some kind of self-made encryption either of the whole JWT string or just the secret variable value in the payload, I am looking for the "right" or "traditional" way to handle this. 尽管我可以对整个JWT字符串或仅对有效负载中的秘密变量值实施某种自制的加密，但我正在寻找“正确”或“传统”的方式来进行处理。

1 个解决方案

The best way would be to store it only on the back end in some kind of persistent storage preferable hashed. 最好的方法是仅将其存储在后端（最好是散列的某种持久性存储）中。

If that isn't possible then you can store in the JWT but you would need to encrypt the data before putting it in there. 如果无法做到这一点，那么您可以将其存储在JWT中，但需要先对数据进行加密，然后再将其放入其中。

Bcrypt is probably the easiest solution that is still secure is https://www.npmjs.com/package/bcryptjs . Bcrypt可能是最安全的最简单解决方案，是https://www.npmjs.com/package/bcryptjs 。 Be aware that the more secure you want it the slower the encryption will be. 请注意，您想要的安全性越高，加密速度就越慢。