英文:
Ensuring storage of Redux state and preventing visibility in browser Developer Tools
问题
我需要关于如何安全地本地存储Redux状态的指导,确保它无法通过浏览器开发工具访问或显示。我想了解metamask-extension用于实现这种安全级别的安全策略和技术。任何见解、代码片段或推荐的最佳实践都将不胜感激。
我尝试使用redux-persist-transform-encrypt来加密和本地存储Redux状态。
const encryptKey = encryptTransform({
secretKey: "secrete-key",
});
const encryptionTransform = createTransform(
(inboundState, key) => {
return encryptKey.in(inboundState, key);
},
(outboundState, key) => {
return encryptKey.out(outboundState, key);
}
);
const customStore = localforage.createInstance({
name: "Extension",
storeName: "Extension Storage",
});
const persistConfig = {
key: "root",
storage: customStore,
transform: [encryptionTransform],
};
const rootReducer = combineReducers({
appState: appStateReducer,
wallet: walletReducer,
userPreferences: preferenceReducer,
connectedWebsites: connectedWebsiteReducer,
announcements: announcementsReducer,
language: languageReducer,
});
const persistedReducer = persistReducer(persistConfig, rootReducer);
export const store = configureStore({
reducer: persistedReducer,
devTools: false,
middleware: (getDefaultMiddleware) =>
getDefaultMiddleware({
serializableCheck: false,
}),
});
export const persistor = persistStore(store);
然而,我遇到了一个问题,加密数据仍然在浏览器的开发工具中可见,名称为 persist:root。
与此相反,metamask-extension成功隐藏了持久化数据,并安全地将加密的存储在以下本地位置:
C:\\Users\\USER_NAME\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\nkbihfbeogaeaoehlefnkodbefgpgknn
我正在寻求如何实现类似于metamask-extension所实现的加密持久化Redux状态的安全存储的指导。
英文:
I need guidance on securely storing the persisted Redux state locally, ensuring it cannot be accessed or displayed through browser development tools. I want to understand the strategies and techniques used by metamask-extension to achieve this level of security. Any insights, code snippets, or recommended best practices would be highly appreciated.
I have attempted to utilize redux-persist-transform-encrypt to encrypt and store the Redux state locally.
const encryptKey = encryptTransform({
secretKey: "secrete-key",
});
const encryptionTransform = createTransform(
(inboundState, key) => {
return encryptKey.in(inboundState, key);
},
(outboundState, key) => {
return encryptKey.out(outboundState, key);
}
);
const customStore = localforage.createInstance({
name: "Extension",
storeName: "Extension Storage",
});
const persistConfig = {
key: "root",
storage: customStore,
transform: [encryptionTransform],
};
const rootReducer = combineReducers({
appState: appStateReducer,
wallet: walletReducer,
userPreferences: preferenceReducer,
connectedWebsites: connectedWebsiteReducer,
announcements: announcementsReducer,
language: languageReducer,
});
const persistedReducer = persistReducer(persistConfig, rootReducer);
export const store = configureStore({
reducer: persistedReducer,
devTools: false,
middleware: (getDefaultMiddleware) =>
getDefaultMiddleware({
serializableCheck: false,
}),
});
export const persistor = persistStore(store);
However, I encountered an issue where the encrypted data is still visible in the browser's developer tools as persist:root.
In contrast, metamask-extension manages to hide the persisted data and securely store the encrypted vault/state in the following location locally:
C:\\Users\\USER_NAME\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\nkbihfbeogaeaoehlefnkodbefgpgknn.
I am seeking guidance on how to achieve similar secure storage of the encrypted persisted Redux state as implemented by metamask-extension.
答案1
得分: 2
Metamask是一个浏览器扩展程序,可能使用其中一个用于浏览器扩展的“storage”解决方案,这可以解释你找到的那个文件。我会假设他们使用的是storage.local,不要与localStorage混淆,后者用于网站,而不是扩展程序。
英文:
Metamask is a browser extension and probably uses one of the storage solutions for browser extensions, which would explain that file you found. I would assume they use storage.local, which is not to be confused with localStorage, which is to be used by websites, not extensions.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论