stackoom
  简体   繁体   中英

Rails gem devise_token_auth headers in web console are enoguh to access api, why?

 原文  2018-10-09 14:45:45       ruby-on-rails/ angular/ rubygems/ rails-api/ devise-token-auth

Question

I am learning how to implement security in my rails 5 API. I'm developing an angular app to consume the API, to do this I'm implementing devise_token_auth gem, but in my test in postman I can sign up with email and password, then I receive a response with token (with expiry), data, content-type, client, uid, then I test this from angular and signup from my browser and in the web console I can see all the information that is necesary to access the api from another application.

The devise method authenticate_user need the parameters: content-type, access-token,client, expiry, uid, but everybody could access this information if they take a look at the response in web console, so then... I pick this information and paste in a Postman request and I can access my protected endpoint, so how would this gem be useful? Am I missing something?

Here I sign-in from angular, and check response in web console:

在此处输入图片说明

Then paste the info in a new request in postman to access protected endpoint:

在此处输入图片说明

And the access is successful, how do I prevent the header information from being displayed on the web console?

2 answers

solution1
 1 ACCPTED  2018-10-09 14:54:05

But everybody could access to this information if they take a look at the response in web console

Am I missing something?

Yes. "Everybody" would only be able to see their own token (excluding things like sniffing http. You will be using TLS, right?). With their token, users can do what they please and there's little you can do about it.

But they can't see other users' tokens this way.

solution2
 1  2019-02-09 12:44:01

This is how the internet works. You are logging in and sending information to the server. The server then responds with a secret token that you can use the next time instead of the username and password. With that secret token you perform subsequent request rather than with your username and password.

Regarding your concerns about 'everybody' seeing it. This is why you need SSL encryption, this ensures that someone else cannot read the username and password you sent, and also the token you received. Without SSL anyone on your network or route to the server can indeed read it.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question rails + devise_token_auth gem - uid is same as email Rails: devise_token_auth how to properly authenticate user with devise_token_auth rails gem? Rails returning 401 Unauthorised for User Auth Flow - Rails, devise gem, Devise_token_auth gem Rails Api with devise_token_auth gives "ActiveModel::ForbiddenAttributesError: devise_token_auth and rails 5.2.0 Compatibility OAuth with Ionic 3 and Rails (devise_token_auth) rails5 api + devise_token_auth: no access-token and uid returns after login successfully via omniauth2 Rails devise_token_auth gem, how do I set password reset link? Rails - devise with devise_token_auth not sending confirmation email
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM