英文:
Golang and JWT - Simple Logout
问题
我目前正在开发一个API,经过一段时间的工作,我现在明白如何在Go中使用JWT来获取令牌。有了这个令牌,我可以保持用户的连接,但是,如何从客户端应用程序注销呢?
这是我的token.go代码:
package main
import (
"github.com/dgrijalva/jwt-go"
"time"
)
const (
tokenEncodeString = "something"
)
func createToken(user User) (string, error) {
// 创建令牌
token := jwt.New(jwt.SigningMethodHS256)
// 设置一些声明
token.Claims["username"] = user.Username;
token.Claims["password"] = user.Password;
token.Claims["exp"] = time.Now().Add(time.Hour * 72).Unix()
// 签名并将完整的编码令牌作为字符串返回
return (token.SignedString([]byte(tokenEncodeString)))
}
func parseToken(unparsedToken string) (bool, string) {
token, err := jwt.Parse(unparsedToken, func(token *jwt.Token) (interface{}, error) {
return []byte(tokenEncodeString), nil
})
if err == nil && token.Valid {
return true, unparsedToken
} else {
return false, ""
}
}
经过研究,我发现可以使用黑名单,但我真的想知道是否可以使用上面的代码这样更简单的方式来实现。
我还想找到一种适用于JWT进程使用的内存的解决方案。那些经常断开/连接的人每个会话只能有一个令牌,而不是一个人有一个令牌,黑名单中有一百个令牌。
英文:
I'm currently working on an API and after a bit of time, I now understand how to use JWT in Go to get a token. With this token, I can keep a user connected but, how can I logout from the client application?
Here is my token.go code:
package main
import (
"github.com/dgrijalva/jwt-go"
"time"
)
const (
tokenEncodeString = "something"
)
func createToken(user User) (string, error) {
// create the token
token := jwt.New(jwt.SigningMethodHS256)
// set some claims
token.Claims["username"] = user.Username;
token.Claims["password"] = user.Password;
token.Claims["exp"] = time.Now().Add(time.Hour * 72).Unix()
//Sign and get the complete encoded token as string
return (token.SignedString([]byte(tokenEncodeString)))
}
func parseToken(unparsedToken string) (bool, string) {
token, err := jwt.Parse(unparsedToken, func(token *jwt.Token) (interface{}, error) {
return []byte(tokenEncodeString), nil
})
if err == nil && token.Valid {
return true, unparsedToken
} else {
return false, ""
}
}
After research, I found out that I can use a black list, but I really want to know if it's possible with something easier, like the code above.
I also want to find a solution that works with the memory used by the JWT process. Someone who disconnects/connects himself all the time has to have only one token for each session, not one for him and a hundred in a given black list.
答案1
得分: 6
首先,不要(永远)将敏感凭据放在令牌中。它们没有加密,你不应该这样做。
需要注意的是:
- JWT是无状态的:你发行一个令牌,在服务器上验证期间它会一直存在。
- 你可以发行一个新的带有“现在”过期时间的JWT,但旧的JWT仍然有效(即存在安全风险)。
- 请阅读http://jwt.io/introduction/。
如果你需要在发行后控制访问令牌的过期时间,那么你应该实现一个服务器端方案,允许你直接使令牌过期。用户只会持有一个引用服务器端存储的ID。
英文:
First: Don't (ever) put sensitive credentials in the token. They are not encrypted, and you shouldn't need to do that.
To note:
- JWTs are stateless: you issue one, and it lives as long as you have allowed/are validating against on the server.
- You could issue a new JWT with an expiry of 'now', but the old JWT would still be valid (i.e. a security risk).
- Read through http://jwt.io/introduction/
If you need control over expiring access tokens after issuance, then you should implement a server-side scheme, which would allow you to expire tokens directly. The user would only hold an ID that references the server-side store.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论