node.js 使用节点生成 API 令牌
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/12135793/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Generating API tokens using node
提问by Merc
I am writing an app that will expose an API. The application allows people to create workspaces and add users to them. Each user will have a unique token. When they make an API call, they will use that token (which will identify them as that user using that workspace.
我正在编写一个将公开 API 的应用程序。该应用程序允许人们创建工作区并向其中添加用户。每个用户都将拥有一个唯一的令牌。当他们进行 API 调用时,他们将使用该令牌(这会将他们标识为使用该工作区的用户。
At the moment I am doing this:
目前我正在这样做:
var w = new Workspace(); // This is a mongoose model
w.name = req.body.workspace;
w.activeFlag = true;
crypto.randomBytes(16, function(err, buf) {
if(err){
next(new g.errors.BadError503("Could not generate token") );
} else {
var token = buf.toString('hex');
// Access is the list of users who can access it. NOTE that
// the token is all they will pass when they use the API
w.access = { login: req.session.login, token:token, isOwner: true };
w.save( function(err){
if(err){
next(new g.errors.BadError503("Database error saving workspace") );
Is this a good way to generate API tokens?
这是生成 API 令牌的好方法吗?
Since the token is name+workspace, maybe I should do something like md5(username+workspace+secret_string) ...?
由于令牌是名称+工作区,也许我应该做一些类似 md5(username+workspace+secret_string) ... 的事情?
采纳答案by saeed
回答by Alfred
How does this code make sure your token is unique? I believe you could have collision of numbers with this code. I believe you need to have a sort of sequence number like in this commit from socket.io.
此代码如何确保您的令牌是唯一的?我相信您可能会与此代码发生数字冲突。我相信你需要有一种序列号,就像socket.io 的这个提交一样。
Also you could use npm projects like for example:
您也可以使用 npm 项目,例如:
to ensure uniqueness.
以确保唯一性。
回答by Libu Mathew
I think the following are the best solution for Generating API tokens
我认为以下是生成 API 令牌的最佳解决方案
- JWT (Json web Token)
- Speakeasy- This generate token based on timebased twofactor authentication like google authenticator
- JWT(Json 网络令牌)
- Speakeasy- 这会根据基于时间的双因素身份验证生成令牌,例如 google 身份验证器
Speakeasy is more secure because this key is only available for a small time period (e.g, 30 second)
Speakeasy 更安全,因为此密钥仅在很短的时间段内可用(例如 30 秒)
回答by AlexGad
Why not just use UUIDv4 if you are looking for something unique? If you are interested in some other type of hashing (as mentioned previous hat is a good choice), you might look at speakeasy - https://github.com/markbao/speakeasy. It not only generates random keys but it can also create timebased twofactor authentication keys if you ever really want to layer on additional security strength.
如果您正在寻找独特的东西,为什么不直接使用 UUIDv4?如果您对其他类型的散列感兴趣(如前所述,帽子是一个不错的选择),您可以查看speakeasy - https://github.com/markbao/speakeasy。它不仅生成随机密钥,而且如果您真的想增加额外的安全强度,它还可以创建基于时间的双因素身份验证密钥。
