作者:e我爱你很多 | 来源:互联网 | 2023-08-24 15:42
ImbuildingaLandingPageinReactwhereavisitorsubmitssomedata(includingnameandphone)an
I'm building a Landing Page in React where a visitor submits some data (including name and phone) and this data is sent over HTTP to a Rails 4.2 Backend.
我正在React中构建一个登陆页面,其中访问者提交一些数据(包括姓名和电话),这些数据通过HTTP发送到Rails 4.2后端。
Now, in order for the Landing Page to be able to POST data to the backend, there needs to be some sort of authentication, as only a registered staff member should have access to the data. The Rails backend currently uses regular Devise user/password login to the backend.
现在,为了使着陆页能够将数据发布到后端,需要进行某种身份验证,因为只有注册的工作人员才能访问数据。 Rails后端目前使用常规的Devise用户/密码登录到后端。
I thought about making a dummy account and hardcode an authorization token on the POST header from the landing page, but this is obviously a big security flaw as anyone can see the hardcoded token when they submit the form.
我考虑过制作虚拟帐户并在登陆页面的POST标题上对授权令牌进行硬编码,但这显然是一个很大的安全漏洞,因为任何人都可以在提交表单时看到硬编码令牌。
How can I secure the Landing Page to send / receive data to the backend server in a user-agnostic way (since visitors don't make accounts, they just fill a form with their details)?
如何保护目标网页以用户无关的方式向后端服务器发送/接收数据(因为访问者不会创建帐户,他们只是填写表单及其详细信息)?
2 个解决方案
0
When, you do the login flow and the user has entered the password and hit send, Once your backend authenticates the details, you would have to create an signed authorization token using maybe JWT** ( Json web token ) and send this authorization token to the front-end.
当您执行登录流程并且用户输入密码并点击发送时,一旦您的后端验证详细信息,您将不得不使用JWT **(Json Web令牌)创建签名授权令牌并将此授权令牌发送到前端。
Then, Whenever the front-end makes a call to the backend, it has to attach this token in the header before making the API call. And the back-end should de-code the token to find out which user is requesting it and if the ttl* is within the limits as the issuing token.
然后,每当前端调用后端时,它必须在进行API调用之前将此标记附加到标头中。并且后端应该对令牌进行解码以找出哪个用户正在请求它以及ttl *是否在作为发布令牌的限制内。
If both the cases pass, the back-end should send the requested data or it should send a HTTP CODE - 403/Forbidden, which should then be handled in the front-end to logout the user and open up the login page again.
如果两种情况都通过,后端应该发送请求的数据,或者它应该发送HTTP CODE-403 / Forbidden,然后应该在前端处理以注销用户并再次打开登录页面。
*(Time to live calculated based on the hours this token is valid from the time of issuing/login)
*(生效时间根据此令牌从签发/登录时起有效的小时数计算)
** JWTs are basically base-64 encoded data ( and signed with a unique key by your backend ) of the user's data. A decoded JWT token of a user would most likely look like this :
** JWT基本上是用户数据的base-64编码数据(并由后端用唯一键签名)。用户的解码JWT令牌很可能如下所示:
{
userIs : "0000-aa12-bb43-cd18",
userName : "Some name",
ttl : "Time to live of this token"
}