python:具有危险的API令牌生成

Question

python:具有危险的API令牌生成

lan*_*ng2 9 python security authentication flask

我正在按照"Flask Web Development"一书来实现基于令牌的身份验证.基本上,用户使用HTTP基本身份验证对他/她自己进行身份验证,并为其生成令牌:

s = Serializer(app.config['SECRET_KEY'], expires_in = 3600)
token = s.dumps({ 'id': user.id })

Run Code Online (Sandbox Code Playgroud)

但看起来这并不是只要改变id和SECRET_KEY保持不变.我知道交易将通过HTTPS进行,但仍然认为动态令牌会更好.如何实现动态令牌？

Answer 1

Mar*_*ers 18

如果您需要时间敏感的令牌,请改用TimedSerializer该类.

它不仅使用时间戳来形成签名(因此每次使用时都会生成新签名),但您也可以使用该时间戳限制令牌生存期:

>>> from itsdangerous import TimedSerializer
>>> s = TimedSerializer('sekrit')
>>> token = s.dumps({'id': 'foobar'})
>>> token
'{"id": "foobar"}.COWWsA.dect1vZLaDdgFQUA1G_iTpPY3Hg'
>>> s.loads(token, max_age=3600)
{'id': 'foobar'}
>>> s.loads(token, max_age=0)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/mpieters/Development/venvs/stackoverflow-2.7/lib/python2.7/site-packages/itsdangerous.py", line 643, in loads
    .unsign(s, max_age, return_timestamp=True)
  File "/Users/mpieters/Development/venvs/stackoverflow-2.7/lib/python2.7/site-packages/itsdangerous.py", line 463, in unsign
    date_signed=self.timestamp_to_datetime(timestamp))
itsdangerous.SignatureExpired: Signature age 18 > 0 seconds

Run Code Online (Sandbox Code Playgroud)

请注意,Serializer该类实际上不支持expires_in关键字参数,因此我怀疑您引用的代码实际上使用(未记录的)TimedJSONWebSignatureSerializer类(使用别名导入),它确实采用该关键字参数,并且还包含时间戳:

>>> from itsdangerous import TimedJSONWebSignatureSerializer as Serializer
>>> s = Serializer('sekrit', expires_in=3600)
>>> token = s.dumps({'id': 'foobar'})
>>> token
'eyJhbGciOiJIUzI1NiIsImV4cCI6MTQ0MzEwODAyMywiaWF0IjoxNDQzMTA0NDIzfQ.eyJpZCI6ImZvb2JhciJ9.eCD3zKK1lYT8cZ9w8g0YVpaF-1rR-k6UNCYq9dHmvGo'
>>> s.loads(token)
{'id': 'foobar'}
>>> s = Serializer('sekrit', expires_in=0)
>>> token = s.dumps({'id': 'foobar'})
>>> token
'eyJhbGciOiJIUzI1NiIsImV4cCI6MTQ0MzEwNDUwMCwiaWF0IjoxNDQzMTA0NTAwfQ.eyJpZCI6ImZvb2JhciJ9.Eiw3Eco7p61X-ikMxXS5dDVmjYmRSThcsMCxMyuA-r0'
>>> s.loads(token)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/mpieters/Development/venvs/stackoverflow-2.7/lib/python2.7/site-packages/itsdangerous.py", line 807, in loads
    date_signed=self.get_issue_date(header))
itsdangerous.SignatureExpired: Signature expired

Run Code Online (Sandbox Code Playgroud)

由于包含时间戳,因此生成的令牌不是静态的:

>>> s = Serializer('sekrit', expires_in=3600)
>>> token1 = s.dumps({'id': 'foobar'})
>>> token2 = s.dumps({'id': 'foobar'})
>>> from difflib import ndiff
>>> print '\n'.join(ndiff(token1.split('.'), token2.split('.')))
- eyJhbGciOiJIUzI1NiIsImV4cCI6MTQ0MzEwODIwMywiaWF0IjoxNDQzMTA0NjAzfQ
?                                        ^ ^                    ^^

+ eyJhbGciOiJIUzI1NiIsImV4cCI6MTQ0MzEwODIxMSwiaWF0IjoxNDQzMTA0NjExfQ
?                                        ^ ^                    ^^

  eyJpZCI6ImZvb2JhciJ9
- YmrKQTvZEWw4_JOOPn5uEk9QlZNla4o3Gvo09H1MXfM
+ ApeLrwT_R60pkvCYe4ihzJFPG55tGiJK6VSi6BKxAXM

Run Code Online (Sandbox Code Playgroud)

即使它们是由相同的串行器生成,这两个令牌也有很大不同.

归档时间：	10 年，2 月前
查看次数：	6939 次
最近记录：	10 年，2 月前