在哪里安全地存储用于来自 Monzo 银行 api 请求的 api 请求的访问令牌
[英]Where to securely store an access token used for api requests from the Monzo bank api
问题描述
I am working on a finance app using the Monzo bank api, and the auth process ends in receiving an access_token from the Monzo api: https://docs.monzo.com/#acquire-an-access-token
我正在使用 Monzo 银行 api 开发一个金融应用程序,并且身份验证过程以从 Monzo api 接收access_token结束: Z5E056C500A1C4B6A7110B50D80/ #acquireken-an.com.
I have got to this point, and received the token which I need to use to make all future api requests to retrieve my financial data, but I am really unsure how to securely store this token.我已经到了这一点,并收到了我需要用来发出所有未来 api 请求以检索我的财务数据的令牌,但我真的不确定如何安全地存储这个令牌。
Localstorage is not secure, so where could I store it so it can't be read from the client side? Localstorage 不安全,那么我可以将它存储在哪里,以便无法从客户端读取?
This is within a React app using Firebase as the database.这是在使用 Firebase 作为数据库的 React 应用程序中。
Many thanks非常感谢
2 个解决方案
解决方案1
1 2019-11-21 10:55:44
You can use HTTPonly or Secure Cookies to store the token您可以使用 HTTPonly 或 Secure Cookies 来存储令牌
To Setup Cookies with reactJS there is a package要设置 Cookies 和 reactJS 有一个 package
https://www.npmjs.com/package/react-cookie https://www.npmjs.com/package/react-cookie
解决方案2
1 已采纳 2019-11-21 14:27:14
If you have an API key that must be kept secret from the users of your app, you'll want to keep that API key on the server, and only expose the specific functionality to that user that they're allowed to use.如果您有一个 API 密钥必须对您的应用程序的用户保密,您需要将该 API 密钥保留在服务器上,并且只向该用户公开他们被允许使用的特定功能。
My preferred way to write such a server-side endpoint/API is by using Cloud Functions for Firebase .我编写这种服务器端端点/API 的首选方法是使用Cloud Functions for Firebase 。 If you want to get started with that, I recommend taking this codelab .如果您想开始使用,我建议您参加这个codelab 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.