如何使用 Node js 存储每个用户的访问和刷新令牌(oAuth2)
[英]How to store each users Access- and Refresh Token (oAuth2) using Node js
问题描述
I'm building a browser based web application that uses a Node server (with express) and integrates with a third-party api using oAuth 2.0.
我正在构建一个基于浏览器的 web 应用程序,该应用程序使用节点服务器(带有 express)并使用 oAuth 2.0 与第三方 api 集成。 My application does not have any authorization of its own and solely uses the authentication of the third-party software (the application is essentially an extension of this software).我的应用程序本身没有任何授权,仅使用第三方软件的认证(应用程序本质上是该软件的扩展)。 I've understood that I should store the Access Token and Refresh Token on the server for security, but how can i remember each user and use their correct Token across multiple api calls from the user to the server?我知道我应该将访问令牌和刷新令牌存储在服务器上以确保安全,但是我如何记住每个用户并在从用户到服务器的多个 api 调用中使用他们的正确令牌? What is the best and most secure way?什么是最好和最安全的方式?
1 个解决方案
解决方案1
0 2022-08-31 07:43:17
There are many solutions to this particular problem:这个特定问题有很多解决方案:
Storing the tokens in the regular database which you use for storing other data :
将令牌存储在用于存储其他数据的常规数据库中:
PROs and CONs:优点和缺点:
A. Easy way to do as you don't have to install other DBA. 无需安装其他数据库的简单方法
B. You need not study other databases and implementation logicB. 不需要研究其他数据库和实现逻辑
C.C。 More CRUD load on the same database where your actual data is stored.在存储实际数据的同一数据库上加载更多 CRUD。
D. Crashing at one side ( because of any reasons like CRUD operation load.. etc ) may cause a complete system down.D. 一侧崩溃(由于 CRUD 操作负载等任何原因)可能会导致整个系统停机。Storing the tokens in a separate database server which you aren't using for storing any data:
将令牌存储在您不用于存储任何数据的单独数据库服务器中:
PROs and CONs:优点和缺点:
A. You have to install and monitor a separate Database server for this particular task.A. 您必须为这个特定任务安装和监控单独的数据库服务器。
B. You may have to read and study about this database to install and implement it in your application.B. 您可能必须阅读和研究此数据库才能在您的应用程序中安装和实现它。
C.C。 CRUD operation - load of this database doesn't impact your actual/main database. CRUD 操作 - 此数据库的负载不会影响您的实际/主数据库。 D. Crashing of one database doesn't impact another database. D. 一个数据库崩溃不会影响另一个数据库。
These are some main implementation types and still, there are much many for example: creating a separate database in the same database-server for authentication, Storing all the tokens in both the databases and use only auth database ( secondary one for authentication ) for fetching user's tokens etc.这些是一些主要的实现类型,仍然有很多,例如:在同一个数据库服务器中创建一个单独的数据库以进行身份验证,将所有令牌存储在两个数据库中并仅使用 auth 数据库(用于身份验证的辅助数据库)进行获取用户代币等
What I prefer is...我更喜欢的是...
- Having the main database for storing all application-related data.拥有用于存储所有应用程序相关数据的主数据库。
- Creating a caching database ( like Redis.. ) to store tokens.创建一个缓存数据库(如 Redis.. )来存储令牌。
In this way, I access the tokens in an easy and quick way ( caching databases are much faster ) and I can easily flush whenever needed either through code or through expiration time.通过这种方式,我以一种简单快捷的方式访问令牌(缓存数据库要快得多),并且我可以在需要时通过代码或通过过期时间轻松刷新。
Hope this helps you today...希望今天能帮到你...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.