我是Angular的新手,我正在尝试构建我的第一个Angular应用程序,目前我不知道将用户数据存储在localStorage中是否安全,如果不安全,我应该怎么做才能保存它?我正在使用cookie会话。
这是我的后端代码的工作方式(此处仅“身份验证和授权”部分:]]
const express = require('express'); const session = require('cookie-session'); const crypt = require('bcryptjs'); const config = require('../config'); const router = express.Router(); const users = require('../models/users'); const app = express(); app.use(session({ name: 'session', keys: config.keys, secret: config.sessionkey, cookie: { secure: false, httpOnly: true, path: 'cookie', expires: new Date(Date.now() + 60 * 60 * 1000 * 24 * 365) } })); router.get('/', (req,res)=>{ if(isAuthenticated(req)){ res.send(req.session.user); } else { res.send({"message":"Authenticate first."}); } }); router.post("/login", (req, res) => { const email = req.body.email; const userpass = req.body.userpass; users.findUserByEmail(email,function(user){ if(crypt.compareSync(userpass,user[0].userpass)){ req.session.user = user; res.send(user); } }); }); router.post("/logout", (req,res)=> { req.session = null; res.redirect("/"); }); router.post("/register", (req, res) => { var user = { "username": req.body.username, "userpass": crypt.hashSync(req.body.userpass, 10) , "email": req.body.email, "birthDate": req.body.birthDate }; users.createUser(user,(err)=>{ if(!err){ res.send({ "message":"Login" }); } else { res.send({ "message":"Something went wrong during registration please retry." }); } }); }); router.post("/unregister", isAuthenticated, (req, res) => { var email = req.body.email; if(isAuthenticated(req)){ users.findUserByEmail(email,function(user){ if(req.session.user == user){ if(crypt.compareSync(req.body.userpass,user[0].userpass)){ req.session = null; users.deleteUserByEmail(email,function(err){ if(err){ res.send({ "message":"Something went wrong while deleting the user please retry." }); } else { res.send({ "message":"User deleted successfully" }); } }); } } }); } else { res.send({ "message":"Authenticat first." }); } }); function isAuthenticated(req){ return req.session.user != null; } module.exports.app = app; module.exports.Router = router; module.exports.isAuthenticated = isAuthenticated;
如您所见,当用户正确登录时,我只是将存储在数据库中的用户数据按原样发送给他(显然没有userpass,所以我应该怎么做才能在安全侧进行安全会话?
我是Angular的新手,我正在尝试构建我的第一个Angular应用程序,目前我不知道将用户数据存储在localStorage中是否安全,如果不安全,我应该怎么做进行保存。 ..
是的,您可以在本地存储中存储jwt令牌,不建议在其中存储任何其他数据,请不要在本地存储中存储任何用户标识。如规范所述,jwt可以是用于进行身份验证(非常确定发送方是谁)的工具,而不是用于授权(允许授予人访问权限)的工具,因为令牌可能会被中间的人模仿。