简体繁体 English

Node.js网站的用户身份验证

[英]User authentication for Node.js website

原文 2017-09-18 18:19:18 4 2 node.js/ authentication/ passport.js/ passport-local

I am building a website based on Node.js. 我正在建立一个基于Node.js的网站。

The approach that I am following to ensure safety of the APIs is as follows: 我遵循的确保API安全性的方法如下：

The user signs up with email and password . 用户使用电子邮件和密码注册 。
On successfull signup and login, the client receives a random generated token 成功注册和登录后，客户端会收到一个随机生成的令牌
It stores the token in local storage and passes the token as header in all subsequent requests . 它将令牌存储在本地存储中 ， 并将令牌作为标头传递到所有后续请求中 。
For every subsequent request the server checks the token and validates the user . 对于每个后续请求，服务器都会检查令牌并验证用户 。
Once the user logs out,the token stored in client's local storage gets deleted 用户注销后， 存储在客户端本地存储中的令牌将被删除
The user gets a new token when he logs in again . 用户再次登录时将获得一个新令牌 。

Is the above approach good enough?Please suggest better ways if any. 以上方法是否足够好？请提出更好的方法。

Also I have seen people using passport-local for authentication purpose. 我也看到有人使用本地护照进行身份验证。 How can passport-local help in the above way of authentication? 通过以上身份验证方式， 本地护照如何提供帮助？

2 个解决方案

It is not a good approach because of many reasons. 由于许多原因，这不是一个好方法。 For example: 例如：

In your approach, the user will not be able to log in from two browsers (Mobile+Desktop) at the same time. 在您的方法中，用户将无法同时从两个浏览器（Mobile + Desktop）登录。
It's very easy to steal a localStorage data by XSS attack. 通过XSS攻击窃取localStorage数据非常容易。 If you use server only Cookie, it's much harder. 如果仅使用服务器Cookie，则难度会更大。

Instead of random tokens, it would be better to use Json Web Token ( https://jwt.io/introduction/ ). 代替随机令牌，最好使用Json Web令牌（ https://jwt.io/introduction/ ）。 This would give you the easy way to verify the token is valid (the tokens are signed and has expiration time). 这将为您提供一种简单的方法来验证令牌是否有效（令牌已签名并具有到期时间）。