·þÎñ¶Ë
def set_current_user_from_jwt_token # Ç°ÃæµÄ²½Öè²Î¿¼ÉÏÃæ payload = JWT.decode(request.authorization, nil, false) @current_user = User.find(payload['user_id']) JWT.decode(request.authorization, current_user.api_secret) now = Time.now.to_i if payload['iat'] > now || payload['exp'] < now # ·µ»Ø401 end # ÏÂÃ潫¼ì²éÈ·±£Õâ¸öJWT֮ǰûÓб»Ê¹Óùý # ʹÓÃRedisµÄÔ×Ó²Ù×÷ # The redis µÄ¼ü: <user id>:<one-time use token> key = "#{payload['user_id']}:#{payload['jti']}" # ¿´¼üÖµÊÇ·ñÔÚredisÖÐÒѾ´æÔÚ. Èç¹û²»´æÔÚÔò·µ»Ønil. Èç¹û´æÔÚÔò·µ»Ø¡°1¡±. . if redis.getset(key, "1") # ·µ»Ø401 # end # ½øÐмüÖµ¹ýÆÚ¼ì²é redis.expireat(key, payload['exp'] + 2) end ÈçºÎ·À·¶MITM £¨Man-In-The-Middle£©AttacksËùνMITM¹¥»÷£¬¾ÍÊÇÔÚ¿Í»§¶ËºÍ·þÎñÆ÷¶ËµÄ½»»¥¹ý³Ì±»¼àÌý£¬±ÈÈçÏñ¿ÉÒÔÉÏÍøµÄ¿§·È¹ÝµÄWIFI±»¼àÌý»òÕß±»ºÚµÄ´úÀí·þÎñÆ÷µÈ£»
Õë¶ÔÕâÀ๥»÷µÄ°ì·¨Ê¹ÓÃHTTPS£¬°üÀ¨Õë¶Ô·Ö²¼Ê½Ó¦Óã¬ÔÚ·þÎñ¼ä´«ÊäÏñcookieÕâÀàÃô¸ÐÐÅϢʱҲ²ÉÓÃHTTPS£»ËùÒÔÔƼÆËãÔÚ±¾ÖÊÉÏÊDz»°²È«µÄ¡£
²Î¿¼Ä¿Â¼£º
https://stormpath.com/blog/build-secure-user-interfaces-using-jwts
https://auth0.com/blog/2014/01/27/ten-things-you-should-know-about-tokens-and-cookies/
https://www.quora.com/Is-JWT-JSON-Web-Token-insecure-by-design
https://github.com/auth0/node-jsonwebtoken/issues/36
posted @
¡¡
Ïà¹ØÎÄÕÂ
¾«²Êµ¼¶Á
ÈÈÃÅ×ÊѶ
¹Ø×¢ÎÒÃÇ
