堆栈内存溢出
  简体   繁体   English

在PhoneGap应用上对我的node.js服务器执行授权的(通过Facebook)REST请求

[英]Performing authorized (through facebook) REST requests to my node.js server on a PhoneGap app

 原文  2011-10-08 08:40:59       android/ facebook/ authentication/ node.js/ cordova

问题描述

Since this issue is about three technologies I'd like to quickly introduce each of them: 由于此问题涉及三种技术,因此我想快速介绍它们中的每一种:

  • node.js: javascript on the server side (consider it my webserver) node.js:服务器端的javascript(考虑一下我的网络服务器)
  • PhoneGap: framework that allows me to write Android applications in HTML/Javascript/CSS. PhoneGap:允许我用HTML / Javascript / CSS编写Android应用程序的框架。
  • facebook authentication: using everyauth to let my users login with their facebook account Facebook身份验证:使用everyauth允许我的用户使用其Facebook帐户登录

The objective : I need my PhoneGap application to communicate with my server using a REST based protocol. 目标 :我需要我的PhoneGap应用程序使用基于REST的协议与服务器进行通信。 Many of these requests may only be made when the user has logged in to my server, using their Facebook account. 这些请求中的许多请求只有在用户使用其Facebook帐户登录到我的服务器时才会发出。 Thus, the user needs to login and then go to the logged in state of the PhoneGap application. 因此,用户需要登录,然后进入PhoneGap应用程序的已登录状态。

The issue : When I setup everyauth for facebook I basically have an URL, like domain.com/auth/facebook which will redirect to Facebook's login "popup". 问题 :当我为facebook设置everyauth时,我基本上有一个URL,例如domain.com/auth/facebook,它将重定向到Facebook的登录“弹出窗口”。 When the user then accepts the login, the server will know, and so far everything is good. 然后,当用户接受登录时,服务器将知道,到目前为止一切正常。 The problem is that 问题是

  1. the user now has to be redirected to some external URL, while he should simply get back to the PhoneGap application (in a logged-in state) 现在,用户必须重定向到某个外部URL,而他应该只是返回到PhoneGap应用程序(处于登录状态)
  2. The PhoneGap app does not retrieve the authentication token, or whether authentication was successful or not, because the login process is done in the external URL domain.com/auth/facebook while the PhoneGap application's HTML is stored on and run from the phone itself PhoneGap应用程序不会检索身份验证令牌或身份验证是否成功,因为登录过程是在外部URL domain.com/auth/facebook中完成的,而PhoneGap应用程序的HTML存储在手机上并从手机本身运行

Cause of the issue : the reason this issue appears while it does not for a normal web application, is that the PhoneGap application's HTML files are stored and run from the phone itself while authentication goes through domain.com/auth/facebook, which is considered to be a different domain. 问题的原因:该问题不是针对正常的Web应用程序出现的,原因是在通过domain.com/auth/facebook进行身份验证时,PhoneGap应用程序的HTML文件是通过电话本身存储并运行的成为另一个域。

Suggested approach #1 : a PhoneGap user has recommended me to use this Android-Facebook plugin for PhoneGap . 建议的方法1 :PhoneGap用户已建议我将这个Android-Facebook插件用于PhoneGap The issue here is that the server does not act as an authentication middle-man. 这里的问题是服务器不充当身份验证中间人。 Thus, the user would have to inform the server of their authentication token instead of the normal approach where the server informs the user of a successful authentication procedure and the corresponding tokens. 因此,用户将不得不向服务器通知其认证令牌,而不是通常的方法,在常规方法中,服务器将成功的认证过程和相应的令牌通知用户。 This seems like a severe vulnerability. 这似乎是一个严重的漏洞。

How should I tackle this issue? 我应该如何解决这个问题?

2 个解决方案

解决方案1
 3 已采纳  2011-10-08 14:56:06

With the ChildBrowser plug-in , a PhoneGap app can monitor location changes from the authentication site. 使用ChildBrowser插件 ,PhoneGap应用程序可以监视身份验证站点中的位置更改。

We used this approach to integrate a PhoneGap app with a node.js openid module 我们使用这种方法将PhoneGap应用程序与node.js openid模块集成在一起

解决方案2
 2  2011-10-08 16:15:24

I have implemented one solution for Twitter using jsOauth and ChildBrowser (tut./src here ) for a PhoneGap / Android app. 我已经为PhoneGap / Android应用程序使用jsOauth和ChildBrowser( 此处为tut./src)为Twitter实现了一个解决方案。 I know this doesn't include custom registration with a nodejs server; 我知道这不包括使用nodejs服务器进行自定义注册; it allows access to Twitter REST only. 它仅允许访问Twitter REST。 AFAIK this is the only way to do it currently, that is, have the child browser check each new location to see if it's your app's return-to url, then intervene (close browser window) and go to your own app. AFAIK这是目前唯一的方法,即让子浏览器检查每个新位置,以查看它是否是您应用的返回网址,然后进行干预(关闭浏览器窗口)并转到您自己的应用。

With jsOauth library, the auth token key/secret are stored for you and sent with every request. 使用jsOauth库,将为您存储auth令牌密钥/秘密,并随每个请求一起发送。

Re: security - No expertise here, but discussions conclude this kind of data on one's personal phone are no more at risk than everything else on the phone. 回复:安全-这里没有专门知识,但是讨论得出的结论是,个人电话上的此类数据比电话上的其他所有数据都没有受到更大的威胁。

Tut. ut。 using PhoneGap / Android Facebook plugin in next on my list. 在我的列表的下一个中使用PhoneGap / Android Facebook插件。 Thanks for link to everyauth! 感谢您链接到everyauth!

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Phonegap:带有node.js的“独立”应用程序 - Phonegap: “standalone” app with node.js Cordova,Node.js,Phonegap - Cordova, Node.js, Phonegap TLS-Node.js服务器到Android应用 - TLS - Node.js server to Android app 使用Android应用程序访问本地系统上的node.js服务器 - Accessing node.js server on my local system using android app REST节点js服务器中的身份验证,使用具有Facebook登录名的Android客户端 - Authentication in REST node js server, using an Android client with Facebook login Android客户端通过Firebase到服务器Node.js进行付款 - Android Client to Server Node.js through Firebase for Payment 如何通过phonegap应用程序在Facebook上共享数据 - How to share a data on facebook through phonegap app 带有Node.js / Socket.IO服务器和客户端的Phonegap应用程序中的Android WebSockets - WebSockets for Android in Phonegap application with Node.js/Socket.IO server&client Android 应用程序与 Node.Js 服务器和 MongoDB 通信 - Android app communicate with Node.Js server and MongoDB 如何从Node.js服务器向Android应用发送消息? - How to send message from node.js server to Android app?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM