问HN:还有其他人在使用localStorage令牌进行无登录试用吗?
几周前,我在这里发布了我的一个副项目(Spikelog,简单的指标跟踪)。你需要注册才能试用它。<p>我不知道有多少人在这个步骤中放弃了,但我知道我个人在还没来得及浏览之前就会关闭标签页,如果某个网站要我提供邮箱。所以我最终添加了一个“无需注册即可试用”的流程。这是原帖中的一位评论者推荐的: https://news.ycombinator.com/item?id=46085379<p>为了让这个流程在你点击“立即试用”时生效,我会创建一个访客用户,并给你一个“刷新”密钥。这个密钥会存储在 localStorage 中。下次你访问时,我们会用一个新的 JWT 来替换它。如果你最终真的注册了,你的数据会转移过来。<p>我为访客和真实用户使用了不同的 JWT 密钥对(与我的身份验证路由器分开)。这样做的想法是,如果有人攻破了后端,他们只能伪造访客令牌,而无法伪造真实令牌。密钥是经过哈希处理的,访客创建受到速率限制(每小时每个 IP 限制 5 个)。只有真实账户才能调用合并端点,因此访客之间无法窃取彼此的数据。<p>这也有一些缺点。如果你清除了 localStorage,你将失去访问权限。它只能在一台设备上使用。而且我最终需要对数据库中闲置的访客账户进行一些清理工作。<p>我对其他人的处理方法很感兴趣。我想做一些能够反映我真实身份验证流程的东西,所有内容都从有效的刷新令牌开始(真实流程使用的是 cookie)。<p>如果你想试试,可以访问 https://spikelog.com。欢迎尝试并看看能否找到漏洞,如果发现问题,请告诉我,或者告诉我如何加强我的安全性。
查看原文
I posted my side project (Spikelog, simple metrics tracking) here a few weeks ago. You had to sign up to try it.<p>I have no idea how many people bounced at that step but I know I personally close tabs when something wants my email before I can even look around. So I finally added a "try without signing up" flow. This was recommended by a commenter the original post: https://news.ycombinator.com/item?id=46085379<p>To get this working when you press 'Try it now', I create a guest user and give you back a 'refresh' secret. That goes in localStorage. Next time you visit, we swap it for a fresh JWT. If you eventually sign up for real, your stuff transfers over.<p>I'm using a separate (from my auth router) JWT keypair for guests vs real users. Idea being if someone compromises the backend they can only forge guest tokens, not real ones. Secrets are hashed, guest creation is rate limited (5/hour/IP). Only real accounts can call the merge endpoint so guests can't steal each other's data.<p>There are some downsides. If you clear your localStorage, you've lost access. It only works on one device. And I'll need some cleanup job eventually for abandoned guest accounts sitting in the DB.<p>I'd be interested in other's approaches to this. I wanted to make something that mirrored my real auth flow where everything starts from a valid refresh token (the real flow uses a cookie).<p>https://spikelog.com if you want to poke at it. Feel free to try and break it and please let me know if you do, or how I can tighten up my security.