Ask HN:还有人在用 localStorage token 实现免登录试用吗?
1 分•作者: dsmurrell•16 天前
几周前,我在这里发布了我的一个副业项目(Spikelog,简单的指标追踪)。当时需要注册才能试用。<p>我不知道有多少人在注册这一步就放弃了,但我知道,当某些东西要求我提供电子邮件地址才能浏览时,我个人会直接关闭标签页。所以我最终添加了一个“无需注册即可试用”的流程。这是最初帖子中的一位评论者建议的:https://news.ycombinator.com/item?id=46085379<p>为了实现这个功能,当你点击“立即试用”时,我会创建一个访客用户,并给你一个“刷新”密钥。它会被保存在localStorage中。下次你访问时,我们会用一个新的JWT来替换它。如果你最终真正注册了,你的数据就会被转移过去。<p>我为访客和真实用户使用了不同的(与我的身份验证路由器分开的)JWT密钥对。这样做的目的是,如果有人入侵了后端,他们只能伪造访客令牌,而不能伪造真实用户的令牌。密钥经过哈希处理,访客创建受到速率限制(5个/小时/IP)。只有真实账户才能调用合并端点,这样访客就无法窃取彼此的数据。<p>这也有一些缺点。如果你清除了localStorage,你将失去访问权限。它只能在一台设备上使用。而且我最终需要一个清理任务来处理数据库中那些被遗弃的访客账户。<p>我对其他人处理这个问题的方法很感兴趣。我想做一些能反映我真实身份验证流程的东西,在那里一切都从一个有效的刷新令牌开始(真实的流程使用cookie)。<p>https://spikelog.com 如果你想试试。欢迎尝试破坏它,如果你做到了,或者我如何加强我的安全性,请告诉我。
查看原文
I posted my side project (Spikelog, simple metrics tracking) here a few weeks ago. You had to sign up to try it.<p>I have no idea how many people bounced at that step but I know I personally close tabs when something wants my email before I can even look around. So I finally added a "try without signing up" flow. This was recommended by a commenter the original post: https://news.ycombinator.com/item?id=46085379<p>To get this working when you press 'Try it now', I create a guest user and give you back a 'refresh' secret. That goes in localStorage. Next time you visit, we swap it for a fresh JWT. If you eventually sign up for real, your stuff transfers over.<p>I'm using a separate (from my auth router) JWT keypair for guests vs real users. Idea being if someone compromises the backend they can only forge guest tokens, not real ones. Secrets are hashed, guest creation is rate limited (5/hour/IP). Only real accounts can call the merge endpoint so guests can't steal each other's data.<p>There are some downsides. If you clear your localStorage, you've lost access. It only works on one device. And I'll need some cleanup job eventually for abandoned guest accounts sitting in the DB.<p>I'd be interested in other's approaches to this. I wanted to make something that mirrored my real auth flow where everything starts from a valid refresh token (the real flow uses a cookie).<p>https://spikelog.com if you want to poke at it. Feel free to try and break it and please let me know if you do, or how I can tighten up my security.