分享程序员开发的那些事...
更新时间:2023-02-17 11:36:29
要做到这一点,***的办法是用令牌认证。总之它的工作原理是这样的:
The best way to do it is with token authentication. In summary it works like this:
POST / API /登录在服务器上的路由发生在一个用户名+密码,检查他们对数据库有效,然后生成并返回刷新标记(这可以只是一个随机字符串或GUID)。在刷新标记也存储在旁边的用户数据库,覆盖previous 刷新标记 GET / API /访问令牌路由发生在一个用户名+ 刷新标记,支票他们匹配数据库中,然后生成并返回一个访问令牌 / API / * 路线需要一个有效的访问令牌是在请求的头,否则假设用户没有一个有效的登录POST /api/login route on the server takes in a username + password, checks that they are valid against the database, then generates and returns a refresh token (which can just be a random string or GUID). The refresh token is also stored in the database next to the user, overwriting the previous refresh token
GET /api/access-token route on the server takes in a username + refresh token, checks that they match in the database, then generates and returns an access token
/api/* routes require a valid access token to be in the header of the request, otherwise they assume the user does not have a valid login的访问令牌是已使用只有服务器知道一个秘密密钥加密的数据对象。它应该包含用户名,失效日期(通常〜从生成的令牌时10分钟),以及任何权限或有关用户的其它数据。因为它是用密钥加密的,它不能被攻击者伪造的
The access token is a data object that has been encrypted using a secret key that only the server knows. It should contain the username, an expiry date (usually ~10mins from when the token was generated), and any permissions or misc data about the user. Because it is encrypted with a secret key, it cannot be forged by an attacker.
您将需要在服务器上实施这些路由。
You will need to implement these routes on your server.
如果您使用的是OWIN,这里是你如何使用 Microsoft.Owin.Security.OAuth 的NuGet包做加密位为您提供:
If you are using OWIN, here is how you can use the Microsoft.Owin.Security.OAuth NuGet package to do the encryption bit for you:
有这:
using System.Web.Http;
using Microsoft.Owin;
using Microsoft.Owin.Security.OAuth;
using Owin;
[assembly: OwinStartup(typeof(MyProject.Startup))]
namespace MyProject
{
public class Startup
{
public static OAuthBearerAuthenticationOptions OAuthBearerOptions { get; private set; }
public void Configuration(IAppBuilder app)
{
var config = new HttpConfiguration();
OAuthBearerOptions = new OAuthBearerAuthenticationOptions();
app.UseOAuthBearerAuthentication(OAuthBearerOptions);
// Configure Web API to use only bearer token authentication.
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
app.UseWebApi(config);
}
}
}
然后,您可以生成一个门票(这是未加密的访问令牌),并像这样对它进行加密:
Then, you can generate a ticket (which is the unencrypted access token) and encrypt it like this:
var identity = new ClaimsIdentity(new[] {
new Claim(ClaimTypes.Email, "users email"),
// other business specific claims e.g. "IsAdmin"
});
var ticket = new AuthenticationTicket(identity, new AuthenticationProperties(
{
ExpiresUtc = DateTime.UtcNow.AddMinutes(10)
}));
var accessToken = MyProject.Startup.OAuthBearerOptions.AccessTokenFormat.Protect(ticket);
在角你需要设置的方式登录,一种方式来获得一个新的访问令牌时到期,和一种方式来传递访问令牌在每一个API请求的报头。我建议存储刷新标记和访问令牌在本地存储(或饼干旧的浏览器),并使用 $ httpProvider.interceptors.push 添加一个拦截器,每 $ HTTP 电话。然后拦截器可以访问令牌添加到像这样的标题: config.headers ['授权'] ='承载'+的accessToken;
In Angular you need to setup a way to login, a way to get a new access token when it expires, and a way to pass the access token in the header of every API request. I recommend storing the refresh token and access token in local storage (or cookie for old browsers), and using $httpProvider.interceptors.push to add an interceptor for every $http call. The interceptor can then add the access token to the header like this: config.headers['Authorization'] = 'Bearer ' + accessToken;
在定义角拦截器:
angular.module('app').service('authenticationInterceptor', ['$q', function($q) {
this.request = function(config) {
var accessToken = // ... get the access token from local storage / cookie
config.headers['Authorization'] = 'Bearer ' + accessToken;
return config;
};
}]);
将它添加到 $ httpProvider :
angular.module('app').config(['$httpProvider', ($httpProvider: ng.IHttpProvider) => {
$httpProvider.interceptors.push('authenticationInterceptor');
}]);