< img>的基于JWT的身份验证标签?
假设我有一个单页面应用程序,该应用程序使用JWT令牌针对后端REST api进行身份验证.当执行REST请求时,我将JWT令牌传输到http标头中.到目前为止,一切都很好.
Supposed I have a single page application that uses JWT tokens to authenticate against a backend REST api. I transfer the JWT token inside the http header when doing a REST request. So far, so good.
现在,假设我想从服务器下载图像,并且我只希望经过身份验证的用户可以访问该图像.在服务器上,这没问题:只需定义一个传递图像的路由,然后在该路由中验证JWT令牌.
Now, supposed I want to download an image from the server, and I want the image only to be accessible for authenticated users. On the server, this is no problem: Simply define a route that delivers the image, and in that route verify the JWT token.
但是:如何将令牌从客户端转移到服务器?如果使用常规<img ...>标记,则无法将令牌附加为http标头.我该怎么办?
But: How do I transfer the token from the client to the server? If I use a regular <img ...> tag, I can not attach the token as an http header. What should I do?
我基本上可以考虑添加令牌,例如以base64编码到查询字符串,但这似乎不是很安全,因为令牌随后出现在浏览器的历史记录中.另一方面,如果不完全使用JavaScript加载图像,我想不出另一种方法.
I basically can think of adding the token, e.g. base64-encoded, to the query string, but that does not seem to be very secure, since the token then appears in the browser's history. On the other hand, I can not think of another approach, without loading images entirely using JavaScript.
有任何提示吗?
如果我想到Amazon S3,则在这里想要一个签名的URL.正如您已经建议的,向查询字符串中添加标记是可以的.
If i think of Amazon S3 a signed url is what you want here. As you already suggested adding a token to the query string would be fine.
关于安全性:我认为这与令牌的到期日期有关.由于令牌没有无效,因此最好使用签名的URL:
About security: I think this is a matter of the expiration date of the token. As there is no invalidation of the token maybe it is better to use signed URLs:
- 获取JWT
- 获取带有该令牌的签名URL
- 使用该URL检索img
这样,您可以独立于JWT来控制签名URL的到期时间,还可以定义用于签名URL的令牌的长度.
This way you can control the expiration of the signed URL independent of the JWT and also define the length of the token used for the signed URL.