Managing Session Cookies with Firebase and Electron

泪湿孤枕 提交于 2021-01-27 13:34:08

问题


I am trying to set up session cookies in my Node server, which is the backend for an Electron app. I am trying to follow this guide.

https://firebase.google.com/docs/auth/admin/manage-cookies

The first thing I am confused about is where this function comes from in the "Sign In" section: const csrfToken = getCookie('csrfToken') Is 'getCookie' a function I am supposed to write myself?

I am also not fully following the logic of the "create session cookie" snippet:

const csrfToken = req.body.csrfToken.toString();
  // Guard against CSRF attacks.
  if (csrfToken !== req.cookies.csrfToken) {
    res.status(401).send('UNAUTHORIZED REQUEST!');
    return;
  }

So this looks like it's checking to see if the request body's CSRF token is the same thing set in the request cookie's CSRF token? Is this because someone might set the CSRF token manually (i.e. using Postman) but such a request won't go through because it's not in req.cookies? Does this imply that one is not supposed to be setting req.cookies in their client-side code?


回答1:


getCookie is a basically a cookie getter. You can write it yourself or lookup the implementation online. As for the CSRF check, this is a basic defense against CSRF attacks. The CSRF token is set in a cookie and then returned back in the post body. The backend will confirm that the CSRF token in the cookie matches the token in the POST body. Basically the idea here is that only requests coming from your website can read the cookie and pass it in the request in the POST body. If the request is coming from another website, they will not be able to read the cookie and pass it in the POST body. While the CSRF token cookie will be always be passed along the request even when coming from other origins, the token will not be available in the POST body.

A quickstart node.js implementation is available at: https://github.com/firebase/quickstart-nodejs/tree/master/auth-sessions



来源:https://stackoverflow.com/questions/50558607/managing-session-cookies-with-firebase-and-electron

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!