Fatal编程技术网
  • angular/
  • Angular 放大和缩小安全顾虑-cognito

Angular 放大和缩小安全顾虑-cognito

angular

Angular 放大和缩小安全顾虑-cognito,angular,amazon-cognito,aws-amplify,Angular,Amazon Cognito,Aws Amplify,我想弄清楚cognito是否需要amplify来使用前端,或者是否有一种更安全的设置方法。我问这个问题的原因是因为我有一个解决方案,允许我使用cognito、amplify和angular登录到我的应用程序,但为了让它工作,我必须在auth.service.ts文件中放入userPoolId和UserPoolWebClient等内容。从安全的角度来看,我觉得这是一件非常糟糕的事情。通常我会认为这种敏感信息会存储在后端,但我还没有看到一个解决方案不这样做 我的angular应用程序在auth.se

我想弄清楚cognito是否需要amplify来使用前端,或者是否有一种更安全的设置方法。我问这个问题的原因是因为我有一个解决方案,允许我使用cognito、amplify和angular登录到我的应用程序,但为了让它工作,我必须在auth.service.ts文件中放入userPoolId和UserPoolWebClient等内容。从安全的角度来看,我觉得这是一件非常糟糕的事情。通常我会认为这种敏感信息会存储在后端,但我还没有看到一个解决方案不这样做

我的angular应用程序在auth.service.ts中的设置如下

Amplify.configure({
  Auth: {
    region: 'us-east-1',
    userPoolId: '<my user pool id was here. Seems insecure>',
    userPoolWebClientId: '<my user pool id was here. Seems insecure>',
    mandatorySignIn: false,

    oauth: {
      domain: 'mysite.auth.us-east-1.amazoncognito.com',
      scope: ['email', 'profile', 'openid'],
      redirectSignIn: 'http://localhost:4200/',
      redirectSignOut: 'http://localhost:4200/',
      responseType: 'code'
    }
  }
});


const POOL_DATA = {
  UserPoolId: '<my user pool id was here. Seems insecure>',
  ClientId: '<my client id was here. Seems insecure>'
};

const userPool = new CognitoUserPool(POOL_DATA);
...

 import { CONFIG } from '<your folder path>/config';

 Amplify.configure({
    Auth: {
      region: 'us-east-1',
      userPoolId: CONFIG.UserPoolId,
      userPoolWebClientId: CONFIG.ClientId,
      mandatorySignIn: false
   }
 });

Amplify.configure({
认证:{
地区:'us-east-1',
用户池ID:“”,
UserPoolWebClient:“”,
曼达托瑞:错,
oauth:{
域名:“mysite.auth.us-east-1.amazonconito.com”,
范围:['email','profile','openid'],
签名:'http://localhost:4200/',
重定向注销:'http://localhost:4200/',
responseType:“代码”
}
}
});
常量池数据={
用户池ID:“”,
客户端ID:'
};
const userPool=新的CognitoUserPool(池_数据);
...
有什么我不知道的吗。有没有更安全的方法在前端执行此操作?

在没有池id和web客户端id的前端使用AWS Cognito是没有选项的

我建议您将凭据保留在environment.ts文件中,而不是保留在服务文件中

  • 将凭据添加到environment.ts

    export const environment = {
   production: false,
   envName: 'dev',
   cognitoUserPoolId: <secure credential>,
   cognitoClientId: <secure credential>
}

    导出常量环境={
制作:假,,
envName:'dev',
cognitoUserPoolId:,
认知客户端:
}
  • 创建一个config.ts文件作为抽象层

     import { environment } from '<your folder path>/environments/environment';

 export const CONFIG = {
    UserPoolId: environment.cognitoUserPoolId,
    ClientId: environment.cognitoClientId,
 }

    从'/environments/environment'导入{environment};
导出常量配置={
UserPoolId:environment.cognitoUserPoolId,
ClientId:environment.cognitoClientId,
}
  • 在auth.service.ts中导入配置文件

    Amplify.configure({
  Auth: {
    region: 'us-east-1',
    userPoolId: '<my user pool id was here. Seems insecure>',
    userPoolWebClientId: '<my user pool id was here. Seems insecure>',
    mandatorySignIn: false,

    oauth: {
      domain: 'mysite.auth.us-east-1.amazoncognito.com',
      scope: ['email', 'profile', 'openid'],
      redirectSignIn: 'http://localhost:4200/',
      redirectSignOut: 'http://localhost:4200/',
      responseType: 'code'
    }
  }
});


const POOL_DATA = {
  UserPoolId: '<my user pool id was here. Seems insecure>',
  ClientId: '<my client id was here. Seems insecure>'
};

const userPool = new CognitoUserPool(POOL_DATA);
...

     import { CONFIG } from '<your folder path>/config';

 Amplify.configure({
    Auth: {
      region: 'us-east-1',
      userPoolId: CONFIG.UserPoolId,
      userPoolWebClientId: CONFIG.ClientId,
      mandatorySignIn: false
   }
 });

    从'/CONFIG'导入{CONFIG};
放大({
认证:{
地区:'us-east-1',
userPoolId:CONFIG.userPoolId,
userPoolWebClientId:CONFIG.ClientId,
mandatorySignIn:错
}
});
    • 这样,凭证就不会暴露于外部世界。希望这是有意义的。

    在前端使用AWS Cognito时没有池id和web客户端id

    我建议您将凭据保留在environment.ts文件中,而不是保留在服务文件中

  • 将凭据添加到environment.ts

    export const environment = {
   production: false,
   envName: 'dev',
   cognitoUserPoolId: <secure credential>,
   cognitoClientId: <secure credential>
}

    导出常量环境={
制作:假,,
envName:'dev',
cognitoUserPoolId:,
认知客户端:
}
  • 创建一个config.ts文件作为抽象层

     import { environment } from '<your folder path>/environments/environment';

 export const CONFIG = {
    UserPoolId: environment.cognitoUserPoolId,
    ClientId: environment.cognitoClientId,
 }

    从'/environments/environment'导入{environment};
导出常量配置={
UserPoolId:environment.cognitoUserPoolId,
ClientId:environment.cognitoClientId,
}
  • 在auth.service.ts中导入配置文件

    Amplify.configure({
  Auth: {
    region: 'us-east-1',
    userPoolId: '<my user pool id was here. Seems insecure>',
    userPoolWebClientId: '<my user pool id was here. Seems insecure>',
    mandatorySignIn: false,

    oauth: {
      domain: 'mysite.auth.us-east-1.amazoncognito.com',
      scope: ['email', 'profile', 'openid'],
      redirectSignIn: 'http://localhost:4200/',
      redirectSignOut: 'http://localhost:4200/',
      responseType: 'code'
    }
  }
});


const POOL_DATA = {
  UserPoolId: '<my user pool id was here. Seems insecure>',
  ClientId: '<my client id was here. Seems insecure>'
};

const userPool = new CognitoUserPool(POOL_DATA);
...

     import { CONFIG } from '<your folder path>/config';

 Amplify.configure({
    Auth: {
      region: 'us-east-1',
      userPoolId: CONFIG.UserPoolId,
      userPoolWebClientId: CONFIG.ClientId,
      mandatorySignIn: false
   }
 });

    从'/CONFIG'导入{CONFIG};
放大({
认证:{
地区:'us-east-1',
userPoolId:CONFIG.userPoolId,
userPoolWebClientId:CONFIG.ClientId,
mandatorySignIn:错
}
});
    • 这样,凭证就不会暴露于外部世界。希望这是有意义的。

    您有权质疑您在前端输入的所有内容,但这些ID并不敏感。如果我想通过您的应用程序的身份验证,我仍然需要向您选择的身份提供商之一证明我的身份声明

    想想其他web应用程序的实现。您可以让后端REST端点接受包含身份验证凭据的post请求。事实上,我可以看到javascript代码并提取登录端点的url,这并不意味着它不安全

    使用授权控制保护后端的敏感数据。然后,您应该(相对地)安全地假设,虽然每个人都可以加载前端代码资源,但他们对后端资源的任何请求都将被拒绝,除非具有适当的有效令牌

    这会更详细。

    您有权质疑您在前端输入的所有内容,但这些ID并不敏感。如果我想通过您的应用程序的身份验证,我仍然需要向您选择的身份提供商之一证明我的身份声明

    想想其他web应用程序的实现。您可以让后端REST端点接受包含身份验证凭据的post请求。事实上,我可以看到javascript代码并提取登录端点的url,这并不意味着它不安全

    使用授权控制保护后端的敏感数据。然后,您应该(相对地)安全地假设,虽然每个人都可以加载前端代码资源,但他们对后端资源的任何请求都将被拒绝,除非具有适当的有效令牌

    这将涉及更多细节