CASL React 库对授权安全吗?
[英]Is CASL React library safe for authorization?
问题描述
I came CASL JavaScript library, which restricts what resources a given client is allowed to access.
我来到了 CASL JavaScript 库,它限制了给定客户端可以访问的资源。
My question is whether it can be used for role based access in a React app in a secure way?我的问题是它是否可以以安全的方式用于 React 应用程序中基于角色的访问?
And whether user can temper with the permission and gain unauthorized access if used only in front end to display/hide components as shown in following react code?如果仅在前端用于显示/隐藏组件,用户是否可以调整权限并获得未经授权的访问,如下面的反应代码所示?
import React, { useContext } from 'react';
import { AbilityContext } from './Can'
export default () => {
const createTodo = () => { /* logic to show new todo form */ };
const ability = useContext(AbilityContext);
return (
<div>
{ability.can('create', 'Todo') &&
<button onClick={createTodo}>Create Todo</button>}
</div>
);
}
Reference : https://casl.js.org/v5/en/package/casl-react参考: https ://casl.js.org/v5/en/package/casl-react
2 个解决方案
解决方案1
0 2022-05-08 13:42:23
Tbh, users always can gain access from the frontend side by modifying some javascript code and that is why you must handle the authorization from the backend Tbh,用户总是可以通过修改一些javascript代码从前端获得访问权限,这就是为什么你必须从后端处理授权
about your question for CASL, it only checks if you have the ability to see this page or button or do specific actions ... so the place where you save user abilities is your responsibility, not CASL responsibility关于您对 CASL 的问题,它仅检查您是否有能力查看此页面或按钮或执行特定操作......所以您保存用户能力的地方是您的责任,而不是 CASL 的责任
解决方案2
0 2022-07-18 23:09:36
Any code for the client (especially browsers) is publicly available to the user/guest and it can be easily tempered with.客户端(尤其是浏览器)的任何代码都对用户/来宾公开可用,并且可以轻松修改。 Any view/front-end library/framework is used to make user-interface dynamic has to be used only for making it dynamic, not for adding security measures or critical logic.任何用于使用户界面动态化的视图/前端库/框架都只能用于使其动态化,而不是用于添加安全措施或关键逻辑。 Just like your client code can communicate with an API, any other client may also communicate with it as well (If not, the client code can easily be tempered).就像您的客户端代码可以与 API 通信一样,任何其他客户端也可以与之通信(如果不能,客户端代码很容易被修改)。
CASL library for React is used only to make the UI dynamic, to be able to hide unnecessary functionality. React 的 CASL 库仅用于使 UI 动态化,以便能够隐藏不必要的功能。 It has zero effect on securing the application.它对保护应用程序的影响为零。 Anyone who inspects the code can see the "hidden" UI and with changing a few variables, they can access any functionality.检查代码的任何人都可以看到“隐藏”的 UI,并且通过更改一些变量,他们可以访问任何功能。 So no, CASL or similar libraries cannot make your application secure, it may even give you the false sense of security.所以不,CASL 或类似的库不能让你的应用程序安全,它甚至可能给你一种错误的安全感。
You should secure your application on the API level.您应该在 API 级别保护您的应用程序。 Anything unnecessary should be hidden from the currently authenticated user or non-authenticated user (guests).任何不必要的东西都应该对当前经过身份验证的用户或未经过身份验证的用户(客人)隐藏。 As long as your API endpoints are secure, the fact of anyone can temper with the client code does not create any security risk (as long as security risks like XSS, CSRF are eliminated and the client code does not give much information about the intricacies of the critical logic at the API level).只要您的 API 端点是安全的,任何人都可以修改客户端代码这一事实不会产生任何安全风险(只要消除了 XSS、CSRF 等安全风险并且客户端代码没有提供太多关于复杂性的信息) API 级别的关键逻辑)。
Libraries like CASL should be only used to improve the user-interface, thus improving the user-experience.像 CASL 这样的库应该只用于改善用户界面,从而改善用户体验。 If not used, let's say the admin dashboard is visible to any user, but they wouldn't be able to see any data or do any action because the API endpoint won't allow them (authorization on the API level);如果不使用,假设任何用户都可以看到管理仪表板,但他们将无法看到任何数据或执行任何操作,因为 API 端点不允许他们(API 级别的授权); that would create a confusion in user as they may think this functionality is necessary for them to use your application but somehow there is a problem, or it may signal that their account/data may not be safe as well.这会给用户造成混淆,因为他们可能认为此功能对于他们使用您的应用程序是必要的,但不知何故存在问题,或者它可能表明他们的帐户/数据也可能不安全。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.