Is is possible in Go to access JWT token stored in client localstorage?

huangapple go评论87阅读模式
英文:

Is is possible in Go to access JWT token stored in client localstorage?

问题

我已经在后端实现了一个SPA应用程序,并且使用Angular很容易对存储在浏览器本地存储中的令牌进行授权。但是在前端,我使用服务器来渲染HTML。

在Go中,从服务器的HTTP请求处理程序中,如何获取浏览器的本地存储/会话存储以检索令牌,验证它并在响应中呈现允许的内容?

这是否可能,还是我必须使用会话?

我在想,也许http.client有一些我没有看到的方法,可以帮助完成这项工作?

编辑
如果不可能的话,我找到了这个链接:http://www.gorillatoolkit.org/pkg/securecookie - 我尝试过搜索一些内容,但我想要确保这种HMAC验证至少与JSON Web Tokens一样安全的解决方案。

如果确实有人能够提出为什么应该在会话中使用服务器资源的好理由,请与我分享(顺便说一句,我不关心旧浏览器 - 只关心性能和尽可能利用客户端资源,只要不影响安全性)。

英文:

I've already implemented a SPA application on the backend and with angular it's easy to authorize the token stored in the browsers localstorage, but on the frontend I use the server for rendering the html.

In go, on the HTTP request handler, from the server, how can I get hold of the browsers localstorage / sessionstorage to retrieve the token, validate it and render the allowed content in the response?

Is this even possible or do I have to use session?

I was thinking maybe somehow the http.client had some way I don't see, which could help get the job done?

edit
If it's not possible I found this: http://www.gorillatoolkit.org/pkg/securecookie - I tried googleing a bit but I want to be absolute certain this hmac verification makes this solution at least as secure as the JSON Web Tokens?

And if there is indeed someone who can come up with good arguments why one should use server resources on session, please do share this with me (I don't care about old browsers btw - only performance and utilizing the clients where possible, as long as security is not compromised)

答案1

得分: 2

有些人给你的问题点了踩,所以也许搞清楚一些事情会有帮助:

  • 后端是生成 HTML 并将其发送给用户的部分 - 服务器端;
  • 前端是最终用户在浏览器中看到的内容(包括 JavaScript)- 客户端;
  • 浏览器的本地存储是在“前端”,因此无法访问“后端”。你可以使用 cookie(存储在客户端,但在服务器端和客户端之间发送)- 但仅限于此;
  • securecookie 是一种在客户端存储 cookie 的方式,除了你自己之外,其他人无法更改/查看它们- 因为它使用只有你(应该)知道的“秘密”进行加密;
  • 会话数据的优点是无需验证其真实性- 是你自己放置数据的人,如果有什么人或事伪造了会话数据,那么你就有更大的问题了。你还可以存储不希望最终用户/客户端知道的内容。使用加密的 cookie 是实现这一点的替代方法。
    • 请注意,你也可以使用会话数据来存储大型数据- 如果有一个(可能有效但)奇怪的原因要为最终用户存储一个 500MB 的会话数据块,你不希望立即将这 500MB 发送给最终用户。会话数据保留在服务器上。
英文:

Some people have downvoted your question, so perhaps it'd be helpful to get things straight:

  • Backend is the thing that generates the html and sends it to the user- server-side;
  • Frontend is what the end user sees in his/her browser (including javascript) - client-side.
  • The browsers localstorage is at the frontend, and is therefore not accessible to the backend. You may use cookies (which are stored on the client-side, but sent to the server-side and vice versa) - but that's about as far as it goes.
  • securecookie is a way of storing cookies at the client-side, without anyone being able to alter/view them except yourself - because it's encrypted using a "secret" only you (should) know.
  • The advantage of session-data, is that there's no need to verify it for forgery - you're the one that put the data there, and if there's something/someone that did forge the session data, then you've got bigger problems. You may also store things that you don't want the end-user/client to know about. Using encrypted cookies is an alternative to achieve this.
    • Note that you can use session data to store large things as well - if there's a (possibly valid but) strange reason to store a 500MB session data blob for the end-user, you don't want to send that 500MB to the end-user right away. The session data stays at your server.

huangapple
  • 本文由 发表于 2014年12月17日 06:50:37
  • 转载请务必保留本文链接:https://go.coder-hub.com/27515421.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定