SPA认证和会话管理最佳实践

本文翻译自：SPA best practices for authentication and session management

When building SPA style applications using frameworks like Angular, Ember, React, etc. what do people believe to be some best practices for authentication and session management? 使用Angular，Ember，React等框架构建SPA风格的应用程序时，人们认为什么是身份验证和会话管理的最佳实践？ I can think of a couple of ways of considering approaching the problem. 我可以考虑考虑解决该问题的几种方法。

1. Treat it no differently than authentication with a regular web application assuming the API and and UI have the same origin domain. 假定API和UI具有相同的原始域，则对待它与使用常规Web应用程序进行身份验证没有区别。

   This would likely involve having a session cookie, server side session storage and probably some session API endpoint that the authenticated web UI can hit to get current user information to help with personalization or possibly even determining roles/abilities on the client side. 这可能涉及到具有会话cookie，服务器端会话存储以及可能经过身份验证的Web UI可以访问以获取当前用户信息以帮助进行个性化甚至可能确定客户端角色/功能的某些会话API端点。 The server would still enforce rules protecting access to data of course, the UI would just use this information to customize the experience. 服务器当然仍然会执行保护访问数据的规则，UI只会使用此信息来定制体验。

2. Treat it like any third-party client using a public API and authenticate with some sort of token system similar to OAuth. 像使用公共API的任何第三方客户端一样对待它，并使用类似于OAuth的某种令牌系统进行身份验证。 This token mechanism would used by the client UI to authenticate each and every request made to the server API. 客户端UI将使用此令牌机制来验证对服务器API的每个请求。

I'm not really much of an expert here but #1 seems to be completely sufficient for the vast majority of cases, but I'd really like to hear some more experienced opinions. 我在这里并不是真正的专家，但是对于大多数情况来说，＃1似乎已经足够了，但是我真的很想听听一些更有经验的意见。

---

#1楼

参考：https://stackoom.com/question/1pXvj/SPA认证和会话管理最佳实践

---

#2楼

I would go for the second, the token system. 我将第二讲令牌系统。

Did you know about ember-auth or ember-simple-auth ? 您知道ember-auth或ember-simple-auth吗？ They both use the token based system, like ember-simple-auth states: 它们都使用基于令牌的系统，例如ember-simple-auth状态：

A lightweight and unobtrusive library for implementing token based authentication in Ember.js applications. 一个轻量级且轻巧的库，用于在Ember.js应用程序中实现基于令牌的身份验证。 http://ember-simple-auth.simplabs.com http://ember-simple-auth.simplabs.com

They have session management, and are easy to plug into existing projects too. 他们具有会话管理，并且很容易插入现有项目。

There is also an Ember App Kit example version of ember-simple-auth: Working example of ember-app-kit using ember-simple-auth for OAuth2 authentication. 还有一个Ember App Kit示例版本的ember-simple-auth： 使用ember-simple-auth进行OAuth2身份验证的ember-app-kit的工作示例。

---

#3楼

This question has been addressed, in a slightly different form, at length, here: 在这里，以略有不同的形式解决了这个问题：

RESTful Authentication RESTful身份验证

But this addresses it from the server-side. 但这是从服务器端解决的。 Let's look at this from the client-side. 让我们从客户端来看。 Before we do that, though, there's an important prelude: 但是，在此之前，有一个重要的前奏：

Javascript Crypto is Hopeless JavaScript加密是绝望的

Matasano's article on this is famous, but the lessons contained therein are pretty important: Matasano在这方面的文章很有名，但是其中包含的教训非常重要：

http://www.matasano.com/articles/javascript-cryptography/ http://www.matasano.com/articl