在服务器端存储API访问令牌
[英]Storing API access token server-side
问题描述
I have built an app in React that uses the Dropbox API & will be stored on AWS S3 & CloudFront. 
我已经在React中构建了一个使用Dropbox API的应用程序,并将存储在AWS S3和CloudFront上。 The app accesses the Dropbox folder using a token. 该应用程序使用令牌访问Dropbox文件夹。 At the moment this token is client-side and obviously is completely accessible. 目前,该令牌是客户端的,显然可以完全访问。
I have tried reaching out to Dropbox, looked into cookies & HTML5 web storage but can't seem to find a simple explanation. 我曾尝试与Dropbox接触,研究过Cookie和HTML5网络存储,但似乎找不到简单的解释。
What would be the simplest way of securing this token on the server? 在服务器上保护此令牌的最简单方法是什么?
1 个解决方案
解决方案1
0 2017-09-26 08:28:24
There are few pros and cons of storing an access token in the server. 在服务器中存储访问令牌的利弊很少。
However, the most secure way of storing it on your server is sending it to the server via https link. 但是,将其存储在服务器上的最安全的方法是通过https链接将其发送到服务器。
One major disadvantage of storing an access token in the server is that you, as the owner of the service, is bound to take the responsibility of securing the token. 在服务器中存储访问令牌的一个主要缺点是,作为服务的所有者,您必须承担保护令牌的责任。 If your server is ever compromised, the hacker gets access to all the data of all the users by having simple access to all their access tokens. 如果您的服务器曾经遭到破坏,则黑客可以通过简单地访问其所有访问令牌来访问所有用户的所有数据。
You can always store the dropbox access token on the client side as a storage variable. 您始终可以在客户端将保管箱访问令牌存储为存储变量。 Each storage is accessible only to the scripts served from the same domain. 每个存储只能由同一域提供的脚本访问。
~Edit~ 〜编辑〜
If the Dropbox account is owned by the owner of the website and it should be hidden from the end user, you need to operate the Dropbox account from within the server. 如果Dropbox帐户由网站所有者拥有,并且应该对最终用户隐藏,则需要从服务器内部操作Dropbox帐户。 This DropBox accessing microservice has to be utilized as a proxy for accessing files. 这种DropBox访问微服务必须用作访问文件的代理。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.