如何解决使用 Google 一键进行安全身份验证
我想用一盘谷歌对我的用户进行身份验证,为此我成功地实现了两个服务(正面和背面)
前台查询: 用最简单的javascript一键打开google,然后创建一个Google APIs项目来获取web客户端ID。
<script src="https://accounts.google.com/gsi/client" async defer></script>
<script>
window.onload = function () {
google.accounts.id.initialize({
client_id: 'xxxxxxx-xxxxxxxoauth',callback: function (credentialResponse) {
let response = credentialResponse;
$.ajax({
type: 'POST',url: '/connect/google/v2',headers: {
'X-Requested-With': 'XMLHttpRequest'
},contentType: 'application/JSON; charset=utf-8',data: JSON.stringify({credential: response.credential}),success: function (data)
{
window.location.href ="https://google.fr";
return false;
},error: function (errorThrown,textStatus)
{
console.log("failed add");
}
});
return false;
}
});
google.accounts.id.prompt();
}
</script>
后端:基于 Symfony 4.4 项目,我创建了 POST 路由来捕获 google 响应。
/**
* Link to this controller to start the "connect" process
* @param ClientRegistry $clientRegistry
*
* @Route("/connect/google/v2",name="connect_google_start_2",methods={"POST"})
*
* @return \Symfony\Component\HttpFoundation\RedirectResponse
*/
public function connectV2Action( LoggerInterface $logger,Request $request,UserManagerInterface $userManager,EntityManagerInterface $em)
{
$data = json_decode($request->getContent(),true);
$credential = $data["credential"];
$logger->info( "credential " . $credential );
$tokenParts = explode(".",$credential);
$tokenHeader = base64_decode($tokenParts[0]);
$tokenPayload = base64_decode($tokenParts[1]);
$jwtPayload = json_decode($tokenPayload);
$email = $jwtPayload->email;
//user existing
$user = new User();
$token = new UsernamePasswordToken($user,null,'main',$user->getRoles());
$this->get('security.token_storage')->setToken($token);
$this->get('session')->set('_security_main',serialize($token));
// Fire the login event manually
$event = new InteractiveLoginEvent($request,$token);
$this->eventDispatcher->dispatch('security.interactive_login',$event);
$response = new Response(json_encode(array("code" => 200)));
$response->headers->set('Content-Type','application/json');
return $response;
}
所以我的问题是如何根据 $jwtPayload
保护此 POST 操作,其中
包含凭据?知道任何人都可以使用此请求
在数据库中创建/更新用户,有没有办法用 OAUTH_GOOGLE_SECRET
来做?
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。