通过Angular将用户数据存储在localStorage中是否安全?
Is it safe to store user data in the localStorage through Angular?
我是 Angular 世界的新手,我正在尝试构建我的第一个 Angular 应用程序,目前我不明白将用户数据存储在 localStorage 中是否安全,如果没有,我应该怎么做才能挽救它?我正在使用 cookie 会话。
我的后端代码是这样工作的(这里只有身份验证和授权部分):
const express = require('express');
const session = require('cookie-session');
const crypt = require('bcryptjs');
const config = require('../config');
const router = express.Router();
const users = require('../models/users');
const app = express();
app.use(session({
name: 'session',
keys: config.keys,
secret: config.sessionkey,
cookie: {
secure: false,
httpOnly: true,
path: 'cookie',
expires: new Date(Date.now() + 60 * 60 * 1000 * 24 * 365)
}
}));
router.get('/', (req,res)=>{
if(isAuthenticated(req)){
res.send(req.session.user);
} else {
res.send({"message":"Authenticate first."});
}
});
router.post("/login", (req, res) => {
const email = req.body.email;
const userpass = req.body.userpass;
users.findUserByEmail(email,function(user){
if(crypt.compareSync(userpass,user[0].userpass)){
req.session.user = user;
res.send(user);
}
});
});
router.post("/logout", (req,res)=> {
req.session = null;
res.redirect("/");
});
router.post("/register", (req, res) => {
var user = { "username": req.body.username, "userpass": crypt.hashSync(req.body.userpass, 10) , "email": req.body.email, "birthDate": req.body.birthDate };
users.createUser(user,(err)=>{
if(!err){
res.send({ "message":"Login" });
} else {
res.send({ "message":"Something went wrong during registration please retry." });
}
});
});
router.post("/unregister", isAuthenticated, (req, res) => {
var email = req.body.email;
if(isAuthenticated(req)){
users.findUserByEmail(email,function(user){
if(req.session.user == user){
if(crypt.compareSync(req.body.userpass,user[0].userpass)){
req.session = null;
users.deleteUserByEmail(email,function(err){
if(err){
res.send({ "message":"Something went wrong while deleting the user please retry." });
} else {
res.send({ "message":"User deleted successfully" });
}
});
}
}
});
} else {
res.send({ "message":"Authenticat first." });
}
});
function isAuthenticated(req){
return req.session.user != null;
}
module.exports.app = app;
module.exports.Router = router;
module.exports.isAuthenticated = isAuthenticated;
如您所见,当用户正确登录时,我只是将存储在数据库中的用户数据原封不动地发送给他(显然没有用户密码),所以我应该怎么做才能在 angular边?
你应该使用JWT to exchange authentication data between server and client if you're new the idea of JWT, you may read a little about it in the intro,使用JWT你将能够在客户端读取它(Angular)并将它保存到localStorage,并且不用担心它的安全性因为它毕竟是一个散列,即使任何人都可以读取它的内容 he/she 也无法修改它,因为它只能由您的服务器中的安全 key/signature 完全相同地生成。
当然,您必须将 jwt 令牌与每个请求一起发送到您的服务器,在 Angular 中,使用 interceptors 实现这种方法非常容易。
这里 complete example 演示了 JWT 与 Angular 和 NodeJS 的用法。
我是 Angular 世界的新手,我正在尝试构建我的第一个 Angular 应用程序,目前我不明白将用户数据存储在 localStorage 中是否安全,如果没有,我应该怎么做才能挽救它?我正在使用 cookie 会话。
我的后端代码是这样工作的(这里只有身份验证和授权部分):
const express = require('express');
const session = require('cookie-session');
const crypt = require('bcryptjs');
const config = require('../config');
const router = express.Router();
const users = require('../models/users');
const app = express();
app.use(session({
name: 'session',
keys: config.keys,
secret: config.sessionkey,
cookie: {
secure: false,
httpOnly: true,
path: 'cookie',
expires: new Date(Date.now() + 60 * 60 * 1000 * 24 * 365)
}
}));
router.get('/', (req,res)=>{
if(isAuthenticated(req)){
res.send(req.session.user);
} else {
res.send({"message":"Authenticate first."});
}
});
router.post("/login", (req, res) => {
const email = req.body.email;
const userpass = req.body.userpass;
users.findUserByEmail(email,function(user){
if(crypt.compareSync(userpass,user[0].userpass)){
req.session.user = user;
res.send(user);
}
});
});
router.post("/logout", (req,res)=> {
req.session = null;
res.redirect("/");
});
router.post("/register", (req, res) => {
var user = { "username": req.body.username, "userpass": crypt.hashSync(req.body.userpass, 10) , "email": req.body.email, "birthDate": req.body.birthDate };
users.createUser(user,(err)=>{
if(!err){
res.send({ "message":"Login" });
} else {
res.send({ "message":"Something went wrong during registration please retry." });
}
});
});
router.post("/unregister", isAuthenticated, (req, res) => {
var email = req.body.email;
if(isAuthenticated(req)){
users.findUserByEmail(email,function(user){
if(req.session.user == user){
if(crypt.compareSync(req.body.userpass,user[0].userpass)){
req.session = null;
users.deleteUserByEmail(email,function(err){
if(err){
res.send({ "message":"Something went wrong while deleting the user please retry." });
} else {
res.send({ "message":"User deleted successfully" });
}
});
}
}
});
} else {
res.send({ "message":"Authenticat first." });
}
});
function isAuthenticated(req){
return req.session.user != null;
}
module.exports.app = app;
module.exports.Router = router;
module.exports.isAuthenticated = isAuthenticated;
如您所见,当用户正确登录时,我只是将存储在数据库中的用户数据原封不动地发送给他(显然没有用户密码),所以我应该怎么做才能在 angular边?
你应该使用JWT to exchange authentication data between server and client if you're new the idea of JWT, you may read a little about it in the intro,使用JWT你将能够在客户端读取它(Angular)并将它保存到localStorage,并且不用担心它的安全性因为它毕竟是一个散列,即使任何人都可以读取它的内容 he/she 也无法修改它,因为它只能由您的服务器中的安全 key/signature 完全相同地生成。
当然,您必须将 jwt 令牌与每个请求一起发送到您的服务器,在 Angular 中,使用 interceptors 实现这种方法非常容易。
这里 complete example 演示了 JWT 与 Angular 和 NodeJS 的用法。