[英]User authentication for Node.js website
I am building a website based on Node.js. 我正在建立一个基于Node.js的网站。
The approach that I am following to ensure safety of the APIs is as follows: 我遵循的确保API安全性的方法如下:
Is the above approach good enough?Please suggest better ways if any. 以上方法是否足够好?请提出更好的方法。
Also I have seen people using passport-local for authentication purpose. 我也看到有人使用本地护照进行身份验证。 How can passport-local help in the above way of authentication?
通过以上身份验证方式, 本地护照如何提供帮助?
It is not a good approach because of many reasons. 由于许多原因,这不是一个好方法。 For example:
例如:
In your approach, the user will not be able to log in from two browsers (Mobile+Desktop) at the same time. 在您的方法中,用户将无法同时从两个浏览器(Mobile + Desktop)登录。
It's very easy to steal a localStorage data by XSS attack. 通过XSS攻击窃取localStorage数据非常容易。 If you use server only Cookie, it's much harder.
如果仅使用服务器Cookie,则难度会更大。
Instead of random tokens, it would be better to use Json Web Token ( https://jwt.io/introduction/ ). 代替随机令牌,最好使用Json Web令牌( https://jwt.io/introduction/ )。 This would give you the easy way to verify the token is valid (the tokens are signed and has expiration time).
这将为您提供一种简单的方法来验证令牌是否有效(令牌已签名并具有到期时间)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.