问题描述
假设我有一个单页面应用程序,该应用程序使用JWT令牌针对后端REST api进行身份验证.当执行REST请求时,我将JWT令牌传输到http标头中.到目前为止,一切都很好.
Supposed I have a single page application that uses JWT tokens to authenticate against a backend REST api. I transfer the JWT token inside the http header when doing a REST request. So far, so good.
现在,假设我想从服务器下载图像,并且我只希望经过身份验证的用户可以访问该图像.在服务器上,这没问题:只需定义一个传递图像的路由,然后在该路由中验证JWT令牌.
Now, supposed I want to download an image from the server, and I want the image only to be accessible for authenticated users. On the server, this is no problem: Simply define a route that delivers the image, and in that route verify the JWT token.
但是:如何将令牌从客户端转移到服务器?如果使用常规<img ...>
标记,则无法将令牌附加为http标头.我该怎么办?
But: How do I transfer the token from the client to the server? If I use a regular <img ...>
tag, I can not attach the token as an http header. What should I do?
我基本上可以考虑添加令牌,例如以base64编码到查询字符串,但这似乎不是很安全,因为令牌随后出现在浏览器的历史记录中.另一方面,如果不完全使用JavaScript加载图像,我想不出另一种方法.
I basically can think of adding the token, e.g. base64-encoded, to the query string, but that does not seem to be very secure, since the token then appears in the browser's history. On the other hand, I can not think of another approach, without loading images entirely using JavaScript.
有任何提示吗?
推荐答案
如果我想到Amazon S3,则在这里想要一个签名的URL.正如您已经建议的,向查询字符串中添加标记是可以的.
If i think of Amazon S3 a signed url is what you want here. As you already suggested adding a token to the query string would be fine.
关于安全性:我认为这与令牌的到期日期有关.由于令牌没有无效,因此最好使用签名的URL:
About security: I think this is a matter of the expiration date of the token. As there is no invalidation of the token maybe it is better to use signed URLs:
- 获取JWT
- 获取带有该令牌的签名URL
- 使用该URL检索img
这样,您可以独立于JWT来控制签名URL的到期时间,还可以定义用于签名URL的令牌的长度.
This way you can control the expiration of the signed URL independent of the JWT and also define the length of the token used for the signed URL.
这篇关于< img>的基于JWT的身份验证标签?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!