stackoom
  简体   繁体   中英

How should I store a single use username and password for an Angular app without a login page?

 原文  2022-12-29 12:09:40       angular/ environment-variables/ password-encryption/ password-storage

Question

I will be creating an Angular app that will make calls to a DotNet Core API I have created. Because the API itself calls a third-party API which needs to be secured with an API key, I want to secure my API so that no one else can call my API without authorisation.

To this end, I thought I could just have a single-use username and password that the Angular app would append to each call it made to my API - ie there will not be a login page.

What is the recommended way of achieving this? I do not yet know where (or if) I will host this publicly, but I may deploy it in Azure in some fashion eventually.

Options seem to be:

  1. Storing the username and password in web.config and then possibly encrypting the file (I'm actually not sure whether I'll eventually decide that having a plaintext web.config file is fine or not, but I'd just like options for now) - see https://www.infoq.com/articles/Secure-web.config . However, I'm not sure how I'd decrypt this in Angular.

  2. Encrypt and decrypt an environment file that Angular will use - see https://medium.com/nontechcompany/secure-angular-configuration-credentials-in-containerized-environment-as-of-2021-a7f36ed676ed and linked articles https://betterprogramming.pub/how-to-secure-angular-environment-variables-for-use-in-github-actions-39c07587d590 and https://javascript.plainenglish.io/setup-dotenv-to-access-environment-variables-in-angular-9-f06c6ffb86c0 , though these seem to be for "containerized" deployments, and I'm not 100% sure I understand how they work just yet.

1 answers

solution1
 0  2022-12-29 12:18:03

I would recommend you to generate a JWT signed token from your api on the initial user login.

As you said, you have a custom API between the client and the third party API so why keep the sensible data client side?

If you need to use the plain text username/password server side, you can still hash / decode the JWT token and retrieve user infos to interface the third party API.

That way you don't have to store any user credentials / sensible data client side and expose it in client api calls, you'll have to deal with only a token you can store in a cookie or localstorage.

✌️

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to use basic auth with username, password plus token in angular 4 Dispatch credentials store.dispatch(new Login(userName, password)) Should i create one page angular 6 application without use ng new myapp command? Angular Login form lets me through with any username & password pair passing username and password to JWT Token Controller through an Angular 2 login form Angular2 & Firebase - How to store email and password to use 'reauathenticateWithCredential' How to use single component as page and MatDialog in angular Angular 6: how to pass a username and password to an API? how to pass username and password with api in angular? How to connect to an API that requires a username and password with Angular 2
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM