简体   繁体   English

可以使用会话cookie保护Rails API

[英]Is possible to secure a Rails API using session cookie

I have an issue. 我有一个问题。 I have two Rails website, site A and site B. Site A is a news website that has device as auth system and use Disqus with Single Sign On to comment contents. 我有两个Rails网站,站点A和站点B。站点A是一个新闻网站,具有设备作为身份验证系统,并使用带有单点登录的Disqus评论内容。

Site B is another news website that doesn't have any user auth system and use Disqus to comment contents but without single sign on. 站点B是另一个新闻网站,没有任何用户身份验证系统,并且使用Disqus对其内容进行注释,但未进行单点登录。

I want to permit to users of the site A to SSO on Disqus on site B. Disqus SSO use this script 我想允许站点A的用户访问站点B上的Disqus上的SSO。Disqus SSO使用此脚本

def get_disqus_sso(user)
    # create a JSON packet of our data attributes
    data =  {
      'id' => user['id'],
      'username' => user['username'],
      'email' => user['email']
      #'avatar' => user['avatar'],
      #'url' => user['url']
    }.to_json

    # encode the data to base64
    message  = Base64.encode64(data).gsub("\n", "")
    # generate a timestamp for signing the message
    timestamp = Time.now.to_i
    # generate our hmac signature
    sig = OpenSSL::HMAC.hexdigest('sha1', DISQUS_SECRET_KEY, '%s %s' % [message, timestamp])

    # return a script tag to insert the sso message
    return "<script type=\"text/javascript\">
        var disqus_config = function() {
            this.page.remote_auth_s3 = \"#{message} #{sig} #{timestamp}\";
            this.page.api_key = \"#{DISQUS_PUBLIC_KEY}\";
        }
    </script>"
end

Of course on site BI don't have any user, buy I think to create a private API on site A that return to a logged user "#{message} #{sig} #{timestamp}\\" 当然,网站BI上没有任何用户,请购买我想在网站A上创建一个私有API,该API返回登录用户"#{message} #{sig} #{timestamp}\\"

Is possible to create an API that return something using as auth method the session cookie created by Devise after a successful auth? 成功通过身份验证后,是否可以使用Devise创建的会话cookie作为auth方法来创建返回某些内容的API?

I think that's possible with using jwt. 我认为使用jwt是可能的。 the flow goes as follows. 流程如下。 (tested only with subdomains) (仅在子域中进行了测试)

user uses siteA(stores generated jwt token in a cookie) --> siteB uses the jwt token in cookie --> sends token to siteA for user data --> gets user data.

jwt authentication example jwt认证示例

note : only works for subdomains and don't forget to sign the cookie to prevent tampering. 注意 :仅适用于子域,并且不要忘记对cookie进行签名以防止篡改。

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM