Skip to content

Commit

Permalink
Merge pull request #116 from dwyl/upd-readme
Browse files Browse the repository at this point in the history 
update README-zh_CN
  • Loading branch information
@nelsonic
nelsonic authored May 3, 2022
2 parents 20dcc48 + 5d7de25 commit 8d4caee
Showing 1 changed file with 28 additions and 28 deletions.
56 changes: 28 additions & 28 deletions README-zh_CN.md
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
![JWT logo wider](http://i.imgur.com/qDOOu4o.jpg)
![JWT logo wider](https://i.imgur.com/qDOOu4o.jpg)

# 学习如何使用 **JSON Web Tokens** (JWT) 进行**鉴权**

![dilbert fixed the internet](http://i.imgur.com/cNElVof.jpg)
![dilbert fixed the internet](https://i.imgur.com/cNElVof.jpg)

学习怎么使用 JSON Web Token (JWT) 来**加密**你的 Web 应用或者移动应用!

[![Build Status](https://img.shields.io/travis/dwyl/learn-json-web-tokens/master.svg?style=flat-square)](https://travis-ci.org/dwyl/learn-json-web-tokens)
[![codecov.io](https://img.shields.io/codecov/c/github/dwyl/learn-json-web-tokens/master.svg?style=flat-square)](http://codecov.io/github/dwyl/learn-json-web-tokens?branch=master)
[![codecov.io](https://img.shields.io/codecov/c/github/dwyl/learn-json-web-tokens/master.svg?style=flat-square)](https://codecov.io/github/dwyl/learn-json-web-tokens?branch=master)
[![codeclimate-maintainability](https://img.shields.io/codeclimate/maintainability/dwyl/learn-json-web-tokens.svg?style=flat-square)](https://codeclimate.com/github/dwyl/learn-json-web-tokens/maintainability)
[![Dependencies Status](https://david-dm.org/dwyl/learn-json-web-tokens/status.svg?style=flat-square)](https://david-dm.org/dwyl/learn-json-web-tokens)
[![devDependencies Status](https://david-dm.org/dwyl/learn-json-web-tokens/dev-status.svg?style=flat-square)](https://david-dm.org/dwyl/learn-json-web-tokens?type=dev)
[![contributions welcome](https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat-square)](https://github.com/dwyl/learn-json-web-tokens/issues)
[![HitCount](http://hits.dwyl.io/dwyl/learn-json-web-tokens.svg)](http://hits.dwyl.io/dwyl/learn-json-web-tokens)
[![HitCount](https://hits.dwyl.com/dwyl/learn-json-web-tokens.svg)](https://hits.dwyl.io/dwyl/learn-json-web-tokens)


## **为什么**?
Expand Down Expand Up @@ -74,7 +74,7 @@ Claims are the predefined **keys** and their **values**:
+ **sub**: token 的主题(很少使用)。
+ **aud**: token 的受众(同样很少使用)。

详情阅读: http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#RegisteredClaimName
详情阅读: https://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#RegisteredClaimName

# 示例 [![contributions welcome](https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat)](https://github.com/dwyl/learn-json-web-tokens/issues)

Expand Down Expand Up @@ -165,7 +165,7 @@ and renders the **authFail** ***error*** page if its not.

**注意**:我们为 http req/res 对象写了一个基本的“**mock**”: /example/test/**mock.js**

如果还不懂 mock 或者很好奇,请阅读:[When to Mock (by "Uncle Bob")](http://blog.8thlight.com/uncle-bob/2014/05/10/WhenToMock.html)
如果还不懂 mock 或者很好奇,请阅读:[When to Mock (by "Uncle Bob")](https://blog.8thlight.com/uncle-bob/2014/05/10/WhenToMock.html)

- - -

Expand All @@ -175,7 +175,7 @@ and renders the **authFail** ***error*** page if its not.
### Q: 我把 JWT 放在 *URL* 或者 *Header***安全**的吗?

问得好!答案是:“****”,除非你使用 SSL/TLS 加密你的连接(https),使用[明文](http://en.wikipedia.org/wiki/Plaintext)发送 Token 永远都是不安全的(token 可以被拦截并且被坏蛋重用)。一种比较笨拙简单的方法是添加校验声明到 token,比如检查请求是否来自于同一个浏览器(user-agent),添加IP 地址或者更先进的“[**browser fingerprints**](http://stackoverflow.com/a/3287761/1148249)”…… http://programmers.stackexchange.com/a/122385
问得好!答案是:“****”,除非你使用 SSL/TLS 加密你的连接(https),使用[明文](https://en.wikipedia.org/wiki/Plaintext)发送 Token 永远都是不安全的(token 可以被拦截并且被坏蛋重用)。一种比较笨拙简单的方法是添加校验声明到 token,比如检查请求是否来自于同一个浏览器(user-agent),添加IP 地址或者更先进的“[**browser fingerprints**](https://stackoverflow.com/a/3287761/1148249)”…… https://programmers.stackexchange.com/a/122385

解决方案包括:
+ 使用一次性 token,在链接点击后即失效 ***或者***
Expand Down Expand Up @@ -231,20 +231,20 @@ db.get(GUID, function(err, record){
Redis 是存储令牌的**可扩展**方式。

如果你**从未**接触过 Redis,请阅读:
+ Intro: http://redis.io/topics/introduction
+ Intro: https://redis.io/topics/introduction
+ Redis in 30 mins:
http://openmymind.net/2011/11/8/Redis-Zero-To-Master-In-30-Minutes-Part-1/
+ What is Redis? http://www.slideshare.net/dvirsky/introduction-to-redis
https://openmymind.net/2011/11/8/Redis-Zero-To-Master-In-30-Minutes-Part-1/
+ What is Redis? https://www.slideshare.net/dvirsky/introduction-to-redis

Redis ***Scales*** (provided you have the RAM):
http://stackoverflow.com/questions/10478794/more-than-4-billion-key-value-pairs-in-redis
https://stackoverflow.com/questions/10478794/more-than-4-billion-key-value-pairs-in-redis

> ***从现在开始学习 Redis!*** [https://github.com/dwyl/**learn-redis**](https://github.com/dwyl/learn-redis)
#### Memcache?

***Quick* answer**: *使用 **Redis***:
http://stackoverflow.com/questions/10558465/memcache-vs-redis
https://stackoverflow.com/questions/10558465/memcache-vs-redis


### Q: 返回游客(**会话之间没有状态保存**
Expand All @@ -269,9 +269,9 @@ http://diveintohtml5.info/storage.html
+ MDN **Window.localStorage**:
https://developer.mozilla.org/en-US/docs/Web/API/Window.localStorage
+ Brief description + basic *examples*:
http://www.html5rocks.com/en/features/storage
https://www.html5rocks.com/en/features/storage
+ Will it work for *my* visitors?
http://caniuse.com/#search=localstorage
https://caniuse.com/#search=localstorage
(**Quick answer**: ***Yes***! IE 8 & above, Android 4.0+, IOS 7.1+, Chrome & Firefox )


Expand All @@ -283,7 +283,7 @@ http://caniuse.com/#search=localstorage

> **如果这个问题在其它地方被提到过的话我感到抱歉。用于计算 token 的私钥和 ssh-keygen 生成的私钥是一样的吗?** ~最初由 [@skota](https://github.com/skota) 提出问题,更多详细: [dwyl/**hapi-auth-jwt2/issues**/48](https://github.com/dwyl/hapi-auth-jwt2/issues/48)
因为 JSON Web Token(JWT)不要求使用[**非对称加密**](http://en.wikipedia.org/wiki/Public-key_cryptography)进行签名,所以**不必**使用 ssh-keygen 生成密钥。你可以简单地只使用一个**强密码**,例如:https://www.grc.com/passwords.htm 提供了足够长的复杂的随机的字符串。这样的话使用相同加密字符串的可能性(有人能够修改有效负载,添加或修改声明以及创建有效签名的可能性)非常低。如果你将两个**强密码**(字符串)连接在一起,你将拥有一个 128 位的 ASCII 字符串。因此,碰撞的可能性小于[宇宙中的原子数](http://en.wikipedia.org/wiki/Observable_universe#Matter_content_.E2.80.94_number_of_atoms)
因为 JSON Web Token(JWT)不要求使用[**非对称加密**](https://en.wikipedia.org/wiki/Public-key_cryptography)进行签名,所以**不必**使用 ssh-keygen 生成密钥。你可以简单地只使用一个**强密码**,例如:https://www.grc.com/passwords.htm 提供了足够长的复杂的随机的字符串。这样的话使用相同加密字符串的可能性(有人能够修改有效负载,添加或修改声明以及创建有效签名的可能性)非常低。如果你将两个**强密码**(字符串)连接在一起,你将拥有一个 128 位的 ASCII 字符串。因此,碰撞的可能性小于[宇宙中的原子数](https://en.wikipedia.org/wiki/Observable_universe#Matter_content_.E2.80.94_number_of_atoms)

To quickly and easily create a secret key using Node's crypto library, run this command.

Expand All @@ -300,7 +300,7 @@ To quickly and easily create a secret key using Node's crypto library, run this

在 NPM 上搜索 ”**JSON Web Token**“:https://www.npmjs.com/search?q=json+web+token 会产生许多结果!

![npm search for json web token](http://i.imgur.com/ZLN3LlW.png)
![npm search for json web token](https://i.imgur.com/ZLN3LlW.png)

### 使用 Hapi.js 构建 Web 应用?

Expand All @@ -326,45 +326,45 @@ https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32
- Great overview from Atlassian:
https://developer.atlassian.com/cloud/jira/platform/understanding-jwt/
- Good intro (ruby-specific examples):
http://www.intridea.com/blog/2013/11/7/json-web-token-the-useful-little-standard-you-haven-t-heard-about
+ Friendlier introduction: http://jwt.io/
https://www.intridea.com/blog/2013/11/7/json-web-token-the-useful-little-standard-you-haven-t-heard-about
+ Friendlier introduction: https://jwt.io/
+ Getting to know JWT:
https://scotch.io/tutorials/the-anatomy-of-a-json-web-token
- Discussion: https://ask.auth0.com/c/jwt
+ ***How to*** do **stateless authentication** (session-less & cookie-less):
http://stackoverflow.com/questions/20588467/how-to-do-stateless-session-less-cookie-less-authentication
https://stackoverflow.com/questions/20588467/how-to-do-stateless-session-less-cookie-less-authentication


## 深入阅读(**推荐**) [![contributions welcome](https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat)](https://github.com/dwyl/learn-json-web-tokens/issues)

+ JWT with Passport.js:
http://stackoverflow.com/questions/20228572/passport-local-with-node-jwt-simple
https://stackoverflow.com/questions/20228572/passport-local-with-node-jwt-simple
+ JWT Tokens as API Keys:
https://auth0.com/blog/2014/12/02/using-json-web-tokens-as-api-keys/
+ **10 Things you should know** about ***Tokens and Cookies***:
https://auth0.com/blog/2014/01/27/ten-things-you-should-know-about-tokens-and-cookies/#xss-xsrf
+ Information Security discussion:
http://security.stackexchange.com/questions/51294/json-web-tokens-jwt-as-user-identification-and-authentication-tokens
https://security.stackexchange.com/questions/51294/json-web-tokens-jwt-as-user-identification-and-authentication-tokens
+ Using JWT with node.js (express + backbone):
http://www.sitepoint.com/using-json-web-tokens-node-js/
https://www.sitepoint.com/using-json-web-tokens-node-js/
+ Token-based Authentication with Socket.IO
https://auth0.com/blog/2014/01/15/auth-with-socket-io/
+ JWT Auth *discussion* on Hacker News:
https://news.ycombinator.com/item?id=7084435
+ The Spec but nicer:
http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html
https://self-issued.info/docs/draft-ietf-oauth-json-web-token.html
+ Extended (Wiki) article on Claims-based authentication:
http://en.wikipedia.org/wiki/Claims-based_identity
https://en.wikipedia.org/wiki/Claims-based_identity
+ Securing Requests with JWT:
http://websec.io/2014/08/04/Securing-Requests-with-JWT.html
https://websec.io/2014/08/04/Securing-Requests-with-JWT.html
+ Avoid Database in authenticating user for each request (stateless):
http://security.stackexchange.com/questions/49145/avoid-hitting-db-to-authenticate-a-user-on-every-request-in-stateless-web-app-ar
+ The Twelve-Factor App: http://12factor.net/ + http://12factor.net/processes
https://security.stackexchange.com/questions/49145/avoid-hitting-db-to-authenticate-a-user-on-every-request-in-stateless-web-app-ar
+ The Twelve-Factor App: https://12factor.net/ + https://12factor.net/processes
+ Auth in Hapi with JWT: https://medium.com/@thedon/auth-in-hapi-with-jwt-780ce4d072c7#.clgj5lknq
+ Token based authentication in Node.js with Passport, JWT and bcrypt: https://jonathas.com/token-based-authentication-in-nodejs-with-passport-jwt-and-bcrypt/

# **感谢**您和我们一起学习!

如果您认为这篇快速阅读很有帮助, 请在 GitHub 上给我们一颗星星(Star)并且转推分享给其他人:https://twitter.com/olizilla/status/626487231860080640

[![olizilla tweet](http://i.imgur.com/rCvNvvk.jpg)](https://twitter.com/olizilla/status/626487231860080640 "Please Re-Tweet!")
[![olizilla tweet](https://i.imgur.com/rCvNvvk.jpg)](https://twitter.com/olizilla/status/626487231860080640 "Please Re-Tweet!")

0 comments on commit 8d4caee

Please sign in to comment.