[英]How can I verify login using google api, oauth?
I want to use google oauth api to log in to the site which I create.我想使用谷歌 oauth api 登录到我创建的网站。
I use react
and node
and I'm done with getting current access_token issued but I'm not sure how to know if the user is logged in.我使用
react
和node
并且我已经完成了获取当前 access_token 的发布,但我不确定如何知道用户是否已登录。
Should I check the user's access_token every time the user calls the api of my site?每次用户调用我站点的 api 时,我应该检查用户的 access_token 吗?
If that's correct, should the access_token be held by the client?如果这是正确的,那么 access_token 是否应该由客户端持有?
Isn't that a security issue?这不是安全问题吗?
I did a lot of searching but I don't know how to manage access_token and how to check if user is logged in.我做了很多搜索,但我不知道如何管理 access_token 以及如何检查用户是否登录。
Should I check the user's access_token every time the user calls the api of my site?
每次用户调用我站点的 api 时,我应该检查用户的 access_token 吗?
Yes.是的。 The only ones you will not check will the public ones.
唯一不会检查的将是公共的。
If that's correct, should the access_token be held by the client?
如果这是正确的,那么 access_token 是否应该由客户端持有?
Yes, it can be stored in cookies, local storage... Is is debatable which is the best solutions, you can articles such as this one是的,它可以存储在 cookies 中,本地存储......这是有争议的哪个是最好的解决方案,你可以这样的文章
Isn't that a security issue?
这不是安全问题吗?
No. Anybody can check the content of a JWT token (just paste the content here ).不会。任何人都可以查看 JWT 令牌的内容(只需将内容粘贴到此处)。 But the neat thing is that it can't be modified or manipulated.
但巧妙的是,它不能被修改或操纵。 Of course, it is advisable to keep it as safe as a password, so don't share it around:)
当然,最好把它和密码一样安全,所以不要到处分享:)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.