Google登录小部件-通过这种方式安全地传输令牌吗?

时间:2019-02-06 13:48:30

标签: javascript security https google-signin

我遵循了this tutorial,并为自己打造了一个小型测试环境:

pip
function loadGsignin() { // only sets color
    let prevtr = document.getElementsByClassName("abcRioButton")[0].style.transition;
    document.getElementsByClassName("abcRioButton")[0].style.transition = "none";
    document.getElementsByClassName("abcRioButton")[0].style.backgroundColor = "#444444";
    setTimeout(()=>{
        document.getElementsByClassName("abcRioButton")[0].style.transition = prevtr;
    }, 50);
}


function onSignIn(googleUser) {
    // Useful data for your client-side scripts:
    var profile = googleUser.getBasicProfile();
    console.log("ID: " + profile.getId()); // Don't send this directly to your server!
    document.getElementById("fullname").innerHTML=profile.getGivenName() + " " + profile.getFamilyName();
    console.log('Given Name: ' + profile.getGivenName());
    console.log('Family Name: ' + profile.getFamilyName());
    document.getElementById("avatarImg").src=profile.getImageUrl();
    document.getElementById("email").innerHTML=profile.getEmail();

    // The ID token you need to pass to your backend:
    var id_token = googleUser.getAuthResponse().id_token;
    console.log("ID Token: " + id_token);

    var xhr = new XMLHttpRequest();
    xhr.open("POST", "https://sv443.net/backendServer");
    xhr.onreadystatechange = () => {
        if(xhr.readyState == 4) {
            // alert(xhr.responseText);
        }
    }
    xhr.send(id_token);
}

function signOut() {
    var auth2 = gapi.auth2.getAuthInstance();
    auth2.signOut().then(function () {
        console.log('User signed out.');
        window.location.reload();
    });
}

我知道我可以像上面一样向我的服务器发送HTTPS请求,但是一旦投入生产,我就需要确保它的安全。 <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="google-signin-client_id" content="[x].apps.googleusercontent.com"> <script src="https://apis.google.com/js/platform.js?onload=loadGsignin" data-theme="dark" async defer></script> <script src="index.js"></script> </head> <body> <h1>Sign in:</h1> <div class="g-signin2" data-onsuccess="onSignIn"></div> &nbsp;&nbsp;&nbsp;&nbsp; <button onclick="signOut()">Sign Out</button> <br><br><br><br> <div id="profileDisp"> <img id="avatarImg"> &nbsp; &nbsp; <span id="fullname"></span> &nbsp; - &nbsp; <span id="email"></span> </div> </body> </html>是我必须保护的东西,例如密码吗?普通的HTTPS请求或Websocket连接是否足以保护它的安全,如果没有,我需要做什么以实现最佳安全性?

PS:我有一个怪异的HTTPS加密,可以通过Cloudflare(当然是高度安全的)代理,但是最后一个Cloudflare服务器与我的服务器之间的连接基本上是在常规HTTP上运行的。

谢谢!

0 个答案:

没有答案
相关问题
最新问题