如何控制和保护 blazor spa pwa 应用程序?
[英]How to control and secure blazor spa pwa app?
问题描述
I have pwa blazor .NET 5 app hosted on github.
我在 github 上托管了 pwa blazor .NET 5 应用程序。 People use this app at work, installed through chrome or firefox or safari on devices.人们在工作中使用这个应用程序,通过设备上的 chrome 或 firefox 或 safari 安装。 It works offline and updates cache if I change service worker.js and publish it.如果我更改 service worker.js 并发布它,它会离线工作并更新缓存。 And all is fine.一切都很好。 But how can I manage access for it, since it has to work offline, when some employee resign from work, how can I delete remotely this app on only his devices?但是我该如何管理它的访问权限,因为它必须离线工作,当一些员工辞职时,我如何才能远程删除他设备上的这个应用程序?
2 个解决方案
解决方案1
0 2022-04-16 09:05:14
If you're stuck with the pwa offline approach (which, let's be honest, isn't great for security) then the best you can do is encrypt your local storage with a token that's masked only with blazor's built-in obfuscation.如果您坚持使用 pwa 离线方法(老实说,这对安全性不是很好),那么您能做的最好的事情就是使用仅使用 blazor 的内置混淆屏蔽的令牌来加密您的本地存储。
Ideally, you would be able to at least require an externally-hosted identity login when using the app, but if you are truly offline, then obfuscation of an encryption token is the best you can do (if you are stuck with the pwa template).理想情况下,您在使用该应用程序时至少可以要求使用外部托管身份登录,但如果您确实处于离线状态,那么加密令牌的混淆是您能做的最好的事情(如果您坚持使用 pwa 模板) .
If you know your users are using windows, you could augment the Pwa with a windows service that provides rotating encryption tokens via encrypted assembles, but that would assume you would be willing/able to do installs of windows services on each user machine, and it wouldn't keep the user out of the app.如果您知道您的用户正在使用 windows,您可以使用 windows 服务来增强 Pwa,该 windows 服务通过加密的程序集提供旋转加密令牌,但前提是您愿意/能够在每台用户计算机上安装 windows 服务,并且它不会让用户离开应用程序。
Hopefully, you didn't locally store any health/financial info or social security numbers, and you encrypted the local store with an obfuscated token.希望您没有在本地存储任何健康/财务信息或社会安全号码,并且您使用混淆令牌对本地存储进行了加密。
Another thing you could do is require logins with an idp server at regular intervals.您可以做的另一件事是要求定期使用 idp 服务器登录。 This would at least keep the window of exposure smaller.这至少会使曝光窗口变小。 You would still be able to work offline most of the time.大多数时候您仍然可以离线工作。
解决方案2
0 2022-12-22 07:27:16
I would try the following我会尝试以下
- On load of app check connection to server.在加载应用程序时检查与服务器的连接。
- Validate employee status, if active then store active status check date and next mandatory validation datetime in local storage.验证员工状态,如果处于活动状态,则将活动状态检查日期和下一个强制验证日期时间存储在本地存储中。
- If Not active, Delete data.如果不活动,则删除数据。
- If not connected, check local storage for mandatory validation, if expired then force to connect to server.如果未连接,则检查本地存储是否进行强制验证,如果过期则强制连接到服务器。
PWA without local cache is useless, you can delete local cache if validation fails.没有本地缓存的 PWA 是没有用的,验证失败可以删除本地缓存。
Uninstall PWA is not possible from app.无法从应用程序卸载 PWA。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.