使用Node.JS开发的 Rest API 如何实现Security?
[英]How to implement Security in Rest API developed using Node.JS?
问题描述
I want to design a SPA which will have Frontend (React) and Backend-Rest API (Node.js, Express, Mongo DB).
我想设计一个 SPA,它将具有前端(React)和后端 Rest API(Node.js、Express、Mongo DB)。 I am planning to have Single Sign-On in my application where users would be authenticating using MS-Azure AD, where a call would go to Azure AD from Frontend and in return I will get a token for that User which will be stored locally.我计划在我的应用程序中使用单点登录,用户将使用 MS-Azure AD 进行身份验证,从前端调用 go 到 Azure AD 作为回报,我将获得该用户的令牌,该令牌将存储在本地。 After that, I want to call my rest API, for multiple GET, POST, PUT operations in the context of current user logged in on UI.之后,我想在当前用户登录 UI 的上下文中调用我的 rest API 进行多个 GET、POST、PUT 操作。 Planning to deploy both frontend and backend on different servers so here I have two questions about securing my REST API.计划在不同的服务器上部署前端和后端,所以这里我有两个关于保护我的 REST API 的问题。
- CORS Implementation CORS 实施
- User-Authentication on BE BE 上的用户身份验证
Given the above requirements is it enough to have just CORS implemented or Do I need to again authenticate the User on BE?鉴于上述要求,仅实施 CORS 是否足够,或者我是否需要再次对 BE 上的用户进行身份验证?
Can somebody provide some best practice or experiences?有人可以提供一些最佳实践或经验吗? Is there a lack in my “architecture”?我的“架构”有什么不足吗?
2 个解决方案
解决方案1
1 2020-07-28 12:17:05
CORS will not perform any user authentication. CORS 不会进行任何用户认证。 You need CORS only when your client code is served from another domain than the backend you are talking too.只有当您的客户端代码是从另一个域而不是您正在谈论的后端提供服务时,您才需要 CORS。 If it is the same server to host static client files and backends REST endpoint, you don't need CORS. If you are unsure, then don't consider CORS at all and see if it works.如果它是托管 static 客户端文件和后端 REST 端点的同一台服务器,则不需要 CORS。如果不确定,则根本不要考虑 CORS,看看它是否有效。
But you need authentication to know which user is which.但是您需要身份验证才能知道哪个用户是哪个用户。
解决方案2
1 已采纳 2020-07-28 12:21:08
While CORS is definitely a consideration, it isn't Authentication (AuthN) or Authorization (AuthZ) which you need.虽然 CORS 绝对是一个考虑因素,但您需要的不是身份验证 (AuthN) 或授权 (AuthZ)。 Depending on the number of users your application will have, how the back end will scale you might want to look at OAuth2.0 or stick with simpler session based auth but you will need something.根据您的应用程序将拥有的用户数量,后端将如何扩展您可能想要查看 OAuth2.0 或坚持使用更简单的基于 session 的身份验证,但您将需要一些东西。
CORS on your back end will limit if a browser running an app on a domain other than yours to call your web services (it wont stop API requests from other tools).后端的 CORS 将限制浏览器是否在您的域以外的域上运行应用程序来调用您的 web 服务(它不会停止来自其他工具的 API 请求)。
AuthN - Your not logged in - go get logged in and come back to me.
AuthZ - Controls what your users can and cant do.
Further reading https://auth0.com/docs/authorization/concepts/authz-and-authn进一步阅读https://auth0.com/docs/authorization/concepts/authz-and-authn
Philippe from Pramgmatic web security has a free online course to get you started: https://pragmaticwebsecurity.com/courses/introduction-oauth-oidc.html Its very well paced and should give you some foundational knowledge.来自 Pramgmatic web security 的 Philippe 有一个免费的在线课程可以帮助您入门: https://pragmaticwebsecurity.com/courses/introduction-oauth-oidc.html它节奏非常好,应该会给您一些基础知识。 (It might let you write off OAuth for this use case but give it a go) (它可能会让你为这个用例注销 OAuth 但试一试)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.