Golang和JWT – 简单的注销

huangapple go评论86阅读模式
英文:

Golang and JWT - Simple Logout

问题

我目前正在开发一个API,经过一段时间的工作,我现在明白如何在Go中使用JWT来获取令牌。有了这个令牌,我可以保持用户的连接,但是,如何从客户端应用程序注销呢?

这是我的token.go代码:

package main

import (
    "github.com/dgrijalva/jwt-go"
    "time"
)

const (
    tokenEncodeString = "something"
)

func createToken(user User) (string, error) {
    // 创建令牌
    token := jwt.New(jwt.SigningMethodHS256)

    // 设置一些声明
    token.Claims["username"] = user.Username;
    token.Claims["password"] = user.Password;
    token.Claims["exp"] = time.Now().Add(time.Hour * 72).Unix()

    // 签名并将完整的编码令牌作为字符串返回
    return (token.SignedString([]byte(tokenEncodeString)))
}

func parseToken(unparsedToken string) (bool, string) {
    token, err := jwt.Parse(unparsedToken, func(token *jwt.Token) (interface{}, error) {
        return []byte(tokenEncodeString), nil
    })

    if err == nil && token.Valid {
        return true, unparsedToken
    } else {
        return false, ""
    }
}

经过研究,我发现可以使用黑名单,但我真的想知道是否可以使用上面的代码这样更简单的方式来实现。

我还想找到一种适用于JWT进程使用的内存的解决方案。那些经常断开/连接的人每个会话只能有一个令牌,而不是一个人有一个令牌,黑名单中有一百个令牌。

英文:

I'm currently working on an API and after a bit of time, I now understand how to use JWT in Go to get a token. With this token, I can keep a user connected but, how can I logout from the client application?

Here is my token.go code:

package main

import (
    "github.com/dgrijalva/jwt-go"
    "time"
)

const (
    tokenEncodeString = "something"
)

func createToken(user User) (string, error) {
    // create the token                                                                                                                                                                                  
    token := jwt.New(jwt.SigningMethodHS256)

    // set some claims                                                                                                                                                                                   
    token.Claims["username"] = user.Username;
    token.Claims["password"] = user.Password;
    token.Claims["exp"] = time.Now().Add(time.Hour * 72).Unix()

    //Sign and get the complete encoded token as string                                                                                                                                                  
    return (token.SignedString([]byte(tokenEncodeString)))
}

func parseToken(unparsedToken string) (bool, string) {
    token, err := jwt.Parse(unparsedToken, func(token *jwt.Token) (interface{}, error) {
            return []byte(tokenEncodeString), nil
    })

    if err == nil && token.Valid {
            return true, unparsedToken
    } else {
            return false, ""
    }
}

After research, I found out that I can use a black list, but I really want to know if it's possible with something easier, like the code above.

I also want to find a solution that works with the memory used by the JWT process. Someone who disconnects/connects himself all the time has to have only one token for each session, not one for him and a hundred in a given black list.

答案1

得分: 6

首先,不要(永远)将敏感凭据放在令牌中。它们没有加密,你不应该这样做。

需要注意的是:

  • JWT是无状态的:你发行一个令牌,在服务器上验证期间它会一直存在。
  • 你可以发行一个新的带有“现在”过期时间的JWT,但旧的JWT仍然有效(即存在安全风险)。
  • 请阅读http://jwt.io/introduction/。

如果你需要在发行后控制访问令牌的过期时间,那么你应该实现一个服务器端方案,允许你直接使令牌过期。用户只会持有一个引用服务器端存储的ID。

英文:

First: Don't (ever) put sensitive credentials in the token. They are not encrypted, and you shouldn't need to do that.

To note:

  • JWTs are stateless: you issue one, and it lives as long as you have allowed/are validating against on the server.
  • You could issue a new JWT with an expiry of 'now', but the old JWT would still be valid (i.e. a security risk).
  • Read through http://jwt.io/introduction/

If you need control over expiring access tokens after issuance, then you should implement a server-side scheme, which would allow you to expire tokens directly. The user would only hold an ID that references the server-side store.

huangapple
  • 本文由 发表于 2016年3月30日 02:59:07
  • 转载请务必保留本文链接:https://go.coder-hub.com/36292900.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定