[英]Request for Feedback: multi-step API Authentication using multiple endpoints
I am building an API that will authenticate using the following flow.我正在构建一个 API,它将使用以下流程进行身份验证。
Endpoints:端点:
WWW:/login
- this is the HTML5 frontend using JS ajax calls WWW:/login
- 这是使用 JS ajax 调用的 HTML5 前端API:/check_password
- checks email/password combo. API:/check_password
- 检查电子邮件/密码组合。API:/check_otp
- checks OTP (One-time password) for user. API:/check_otp
- 检查用户的 OTP(一次性密码)。API:/login
- sets authentication session cookie API:/login
- 设置身份验证会话 cookieAssumption:假设:
API:/check_otp
will always and only ever be called after API:/check_password
. API:/check_otp
将始终且仅在API:/check_password
之后API:/check_password
。action_tokens
.即使前端 (WWW:/login) 是恶意的,API 也只能使用有效的凭据和/或action_tokens
。When logging in, the flow would be this:登录时,流程是这样的:
WWW:/login
submits email and password to API:/check_password
. WWW:/login
向API:/check_password
提交电子邮件和密码。 If the credentials are valid, API:/check_password
will return an action_token
and mfa_status
(stands for Multi-factor authentication).如果凭据有效, API:/check_password
将返回action_token
和mfa_status
(代表多因素身份验证)。
mfa_status
is 0, that means MFA is not enabled.如果mfa_status
为 0,则表示未启用 MFA。mfa_status
is 1, that means MFA is enabled.如果mfa_status
为 1,则表示启用了 MFA。 If (mfa_status === 1)
, then WWW:/login will call API:/check_otp
and pass it the action_token
received from API:/check_password
as well as the OTP.如果(mfa_status === 1)
则WWW:/登录将调用API:/check_otp
和它传递action_token
从接收的API:/check_password
以及所述OTP。
action_token
are valid, then API:/check_otp
will return a new action_token
.如果 OTP 和action_token
有效,则API:/check_otp
将返回一个新的action_token
。(mfa_status === 0)
or API:/check_otp
returns a valid action_token
, then WWW:/login
will call API:/login
and pass to it the email
and action_token
.如果(mfa_status === 0)
或API:/check_otp
返回有效的action_token
,则WWW:/login
将调用API:/login
并将email
和action_token
传递给它。 To me, this means the frontend does NOT need to save the password or OTP anywhere in its data stores (localstorage, indexeddb, etc).对我来说,这意味着前端不需要在其数据存储(localstorage、indexeddb 等)中的任何位置保存密码或 OTP。 It also means it can immediately remove the action_token
from its data stores.这也意味着它可以立即从其数据存储中删除action_token
。
QUESTIONS:问题:
Many thanks for an interesting and thorough discussion!非常感谢有趣而深入的讨论!
Your pattern directly maps to OAuth2, why would you not use a tried-and-true security pattern like OAuth2?您的模式直接映射到 OAuth2,为什么不使用像 OAuth2 这样久经考验的安全模式? You are trying to rebuild it for some reason... your action_token is the same as the OAuth access token.由于某种原因,您正在尝试重建它……您的 action_token 与 OAuth 访问令牌相同。
Also, you will need to keep your access token for subsequent calls to protected resources (you know like OAuth does)...此外,您将需要保留访问令牌以供后续调用受保护资源(您知道 OAuth 就是这样做的)...
All you are doing is making more work for yourself by not either using an out-of-the-box OAuth library, or obfuscating the process to make the next person to update this code cranky with you.您所做的只是通过既不使用开箱即用的 OAuth 库,也不混淆流程以使下一个更新此代码的人与您一起胡思乱想来为自己做更多的工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.