在 Next.js next-auth 的会话中保存 jwt accessToken 是否安全? 然后使用 useSession 钩子在客户端访问它?
[英]Is it safe to save jwt accessToken on session in Next.js next-auth? Then using useSession hook to access it on client side?
问题描述
I'm using next-auth for authentication and using the Credentials provider for logging in, my API returns an object containing an accessToken like this object:
我使用 next-auth 进行身份验证并使用 Credentials 提供程序进行登录,我的 API 返回一个包含 accessToken 的对象,如下所示:
{ "token" : "UzI1NiIsInR5cCI..." } , { "token" : "UzI1NiIsInR5cCI..." } ,
And I'm returning a similar object containing the token in authorize property of CredentialsProviders while my session callback looks like this:我正在返回一个类似的对象,其中包含CredentialsProviders的authorize属性中的令牌,而我的session回调如下所示:
session({ session, token }) {
session.data = {
...session.user,
...token.user,
};
session.accessToken = token.accessToken;
return session;
}
And I use the useSession hook in my client code like this:我在我的客户端代码中使用了useSession钩子,如下所示:
const { data: session, status } = useSession();
to access the user's token to make API requests.访问用户的令牌以发出 API 请求。 Is this safe?这安全吗? Or is there another ways to achieve this?还是有其他方法可以实现这一目标? Keep in mind that this application is gonna be fully client side rendered despite the fact that I'm using Next.js, so keep that in mind.请记住,尽管我使用的是 Next.js,但该应用程序将完全在客户端呈现,因此请记住这一点。 I'm asking this because most of the docs of Next.js is SSR focused.我问这个是因为 Next.js 的大多数文档都以 SSR 为重点。
1 个解决方案
解决方案1
3 2022-05-30 09:36:46
Quite often, we use localStorage to store the token after authorization, of course, since localStorage is the browser api, this means that we store the token on the client, which is actually similar to your case.很多时候,我们在授权后使用localStorage来存储token,当然,由于localStorage是浏览器的api,这意味着我们将token存储在客户端,实际上和你的情况类似。 I don't see much of a security issue with this, although it does make the token vulnerable to XSS attacks, so cookies are considered a safer way to store the token, since it can't be retrieved from the script side (if you set the http-only cookie option).我没有看到太多的安全问题,尽管它确实使令牌容易受到 XSS 攻击,因此 cookie 被认为是存储令牌的更安全方式,因为它无法从脚本端检索(如果你设置 http-only cookie 选项)。
If you're worried, you can put the token in cookies to be sure.如果您担心,可以将令牌放入 cookie 中以确保确定。 Although even so, the way to use this token for malicious purposes.尽管如此,使用此令牌进行恶意目的的方式。 The best way is to protect yourself from XSS attacks and then there will be nothing to worry about, react (well, including next) out of the box has good protection mechanisms.最好的方法是保护自己免受 XSS 攻击,然后就没有什么可担心的了,开箱即用的反应(嗯,包括下一个)具有良好的保护机制。
In general, since we are talking about an access token, this is the thing that identifies the user and this should not be a problem for you to use it into the client, you should be more careful with the secrets of the application, such as the secret that is used to encrypt the token, then there will be security problems if you give access to it by client.一般来说,由于我们谈论的是访问令牌,这是识别用户的东西,这对您在客户端中使用它应该不是问题,您应该更加小心应用程序的秘密,例如用于加密令牌的密钥,如果您授予客户端访问权限,则会出现安全问题。
If you still don't want to use a token on the client side, which you probably don't need, you can use getSession on the server side for authorized requests with nextjs and proxy your requests through next to backend, using next as api is also a common practice.如果您仍然不想在客户端使用令牌,您可能不需要,您可以在服务器端使用getSession使用 nextjs 进行授权请求,并通过 next 到后端代理您的请求,使用 next 作为 api也是一种常见的做法。
To summarize, since you are using the next-auth library, you have nothing to worry about, since it takes care of most of the security concerns.总而言之,由于您使用的是 next-auth 库,因此您无需担心,因为它可以解决大多数安全问题。 https://next-auth.js.org/getting-started/introduction#secure-by-default https://next-auth.js.org/getting-started/introduction#secure-by-default
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.