[英]How to control and secure blazor spa pwa app?
I have pwa blazor .NET 5 app hosted on github.我在 github 上托管了 pwa blazor .NET 5 应用程序。 People use this app at work, installed through chrome or firefox or safari on devices.人们在工作中使用这个应用程序,通过设备上的 chrome 或 firefox 或 safari 安装。 It works offline and updates cache if I change service worker.js and publish it.如果我更改 service worker.js 并发布它,它会离线工作并更新缓存。 And all is fine.一切都很好。 But how can I manage access for it, since it has to work offline, when some employee resign from work, how can I delete remotely this app on only his devices?但是我该如何管理它的访问权限,因为它必须离线工作,当一些员工辞职时,我如何才能远程删除他设备上的这个应用程序?
If you're stuck with the pwa offline approach (which, let's be honest, isn't great for security) then the best you can do is encrypt your local storage with a token that's masked only with blazor's built-in obfuscation.如果您坚持使用 pwa 离线方法(老实说,这对安全性不是很好),那么您能做的最好的事情就是使用仅使用 blazor 的内置混淆屏蔽的令牌来加密您的本地存储。
Ideally, you would be able to at least require an externally-hosted identity login when using the app, but if you are truly offline, then obfuscation of an encryption token is the best you can do (if you are stuck with the pwa template).理想情况下,您在使用该应用程序时至少可以要求使用外部托管身份登录,但如果您确实处于离线状态,那么加密令牌的混淆是您能做的最好的事情(如果您坚持使用 pwa 模板) .
If you know your users are using windows, you could augment the Pwa with a windows service that provides rotating encryption tokens via encrypted assembles, but that would assume you would be willing/able to do installs of windows services on each user machine, and it wouldn't keep the user out of the app.如果您知道您的用户正在使用 windows,您可以使用 windows 服务来增强 Pwa,该 windows 服务通过加密的程序集提供旋转加密令牌,但前提是您愿意/能够在每台用户计算机上安装 windows 服务,并且它不会让用户离开应用程序。
Hopefully, you didn't locally store any health/financial info or social security numbers, and you encrypted the local store with an obfuscated token.希望您没有在本地存储任何健康/财务信息或社会安全号码,并且您使用混淆令牌对本地存储进行了加密。
Another thing you could do is require logins with an idp server at regular intervals.您可以做的另一件事是要求定期使用 idp 服务器登录。 This would at least keep the window of exposure smaller.这至少会使曝光窗口变小。 You would still be able to work offline most of the time.大多数时候您仍然可以离线工作。
I would try the following我会尝试以下
PWA without local cache is useless, you can delete local cache if validation fails.没有本地缓存的 PWA 是没有用的,验证失败可以删除本地缓存。
Uninstall PWA is not possible from app.无法从应用程序卸载 PWA。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.