stackoom
  简体   繁体   中英

Login handling in Vue - Is checking the status code sufficient?

 原文  2022-09-27 20:29:36       javascript/ vue.js/ authentication

Question

In a Vue app I have a login. With email and password I send a POST request against the node express backend. If email and password don't match I send back a 409 HTTP status code with a message: "No access. In my POST fetch block I intercept the status code and check if I didn't get a 200 status, If this is the case. I send an error message. If I have a 200 status code I put the JWT token into a cookie. This works, But to be honest. I find the check for the status code too low.

What approaches are there to check the login response. Are there other approaches? Thanks a lot!

    async submit() {
      try {
        const d = await fetch(config.apiUri + "sign-in", {
            method: 'POST',
            headers: {'Content-Type': 'application/json'},
            credentials: 'omit',
            body: JSON.stringify(this.data),
        });
        const j = await d.json();

        if (d.status !== 200) {
          this.errorMsg = j.message
          console.log(this.errorMsg)
          return;
        }
        
        accessHelper.setToken(j.token, this.mys);
        accessHelper.setAuth = true;
        this.$router.push("/");          
      } catch(err) {
        console.log("Something went wrong", err)
      }

    }

1 answers

solution1
 0  2022-09-27 21:07:45

For login use cases most "magic" happens on the server. That includes

  • hashing and salting the password when it's stored and updated,
  • hashing and checking the received password during logins
  • You'd want to lock accounts after a certain number of failed logins
  • and lock IPs after a certain number of failed logins.

After a successful login you're server sends some kind of authentication information (in your case a JWT), which allows the frontend to access secured endpoints. The frontend can't really know more than the fact that the username / password combination was not correct. Therefore, it's fine to only check for the status code.

This OWASP Cheat Sheet contains some useful information in regards to Authentication.

If you feel uncomfortable with handling logins you could think about using OAUTH with eg GitHub and/or authentication services like Firebase Authentication

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Checking login status at client side Meteor - Checking login status before rending templates Checking Facebook login status on page load How to check login status in Vue.js Checking Status Code without Disrupting Download Processing Reusable code at checking status respose with Javascript Checking login status and changing navbar text based on it (React.js) Checking Login Status , Google oAuth, without rendering button Get http status code of request in Vue and Ajax Existence of a method in JavaScript: Checking for truthy sufficient?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM