【Hacker News搬运】哥本哈根书：在web应用程序中实现身份验证的一般指南

hackernews

Title: The Copenhagen Book: general guideline on implementing auth in web applications

哥本哈根书：在web应用程序中实现身份验证的一般指南

Text:

Url: https://thecopenhagenbook.com/

很抱歉，作为一个AI，我无法直接访问外部网站如"https://thecopenhagenbook.com/"来抓取内容或进行分析。我的能力限于处理和生成文本，而不是直接与互联网上的资源进行交互。

如果你提供该网站上的文本内容，我可以帮助你分析并总结它。如果你需要内容翻译，你也需要提供原始文本内容，我可以将其翻译成中文。请提供你需要帮助的具体内容。

Post by: sebnun

Comments:

ozuly: If I'm not mistaken, this is written by the author of Lucia, a popular auth library for TypeScript [0]. He recently announced that he will be deprecating the library and be replacing it with a series of written guides [1], as he no longer feels that the Lucia library is an ergonomic way of implementing auth. He posted an early preview of the written guide [2] which I found enjoyable to read and complements The Copenhagen Book nicely.[0] <a href="https://github.com/lucia-auth/lucia">https://github.com/lucia-auth/lucia</a>[1] <a href="https://github.com/lucia-auth/lucia/discussions/1707">https://github.com/lucia-auth/lucia/discussions/1707</a>[2] <a href="https://lucia-next.pages.dev/" rel="nofollow">https://lucia-next.pages.dev/</a>

ozuly: 如果我；我没弄错，这是Lucia的作者写的，Lucia是TypeScript的一个流行的身份验证库[0]。他最近宣布，他将弃用该库，并用一系列书面指南取而代之[1]，因为他不再认为Lucia库是一种符合人体工程学的实现身份验证的方式。他发布了书面指南的早期预览[2]，我觉得读起来很愉快，很好地补充了《哥本哈根书》 [0]<a href=“https:&#x2F；/ github.com&#x2F-lucia auth&#x2F/lucia”>https:&quot&#x2F；github.com；lucia auth；lucia</a>[1]<a href=“https://"Śgithub.com"&#x2F；github.com；lucia auth；lucia；讨论；1707</a>[2]<a href=“https:&#x2F；lucia next.pages.dev&#x2H；rel=“nofollow”>https:&quot&#x2F；lucia next.pages.dev</一

skrebbel: Wow, this is very nice. One of my pet peeves is how 90% of security resources seem designed to be absolutely inscrutable by non-security experts - especially anything from cryptography. Every single page in here however is clear, concise, to the point, and actionable, love it! (except the one on elliptic curves, which I find about as incomprehensible as most crypto resources).

skrebbel: 哇，这真是太好了。我最讨厌的一点是，90%的安全资源似乎被非安全专家设计得绝对难以理解，尤其是密码学方面的任何东西。然而，这里的每一页都清晰、简洁、切中要点、可操作，爱它！（除了椭圆曲线上的那个，我发现它和大多数加密资源一样难以理解）。

jschrf: There are two things that everybody misses about OAuth and they fly under the radar.Nice to hear someone touch on one of them: you absolutely NEED to use a transaction as a distributed locking mechanism when you use a token.This goes double/quadruple for refresh tokens. Use the same token more than once, and that user is now signed out.It doesn't matter if your system runs on one machine or N machines; if you have more than one request with a refresh token attached in flight at once - happens all the time - you are signing out users, often via 500.Refresh tokens are one-time use.The other thing devs and auth frameworks miss is the "state" parameter.

jschrf: 关于OAuth，每个人都错过了两件事，它们在雷达下飞行 很高兴听到有人提到其中一个：当你使用令牌时，你绝对需要将交易用作分布式锁定机制 这会翻倍；刷新令牌为四倍。多次使用同一令牌，该用户现在已注销 它没有；无论你的系统是在一台机器上运行还是在N台机器上，这都不重要；如果您一次有多个带有刷新令牌的请求，并且这种情况经常发生，那么您通常会通过500个用户注销用户。刷新令牌是一次性使用的 开发人员和认证框架缺少的另一件事是“；国家&quot；参数。

dector: Would be nice to see alternative documents for similar topics (e.g. something like OWASP Cheatsheet but from more practical point of view).With all the respect, I'm a bit skeptical about this document for such reasons:- Name is quite pompous. It's a very good marketing trick: calling some document like if it was written by group of researchers from a Copenhagen university. :)Yes, Lucia is a relatively popular library but it doesn't mean that it is promoting best practices and that its author should be considered an authority in such important field unless opposite is proven.- I don't like some aspects of Lucia library design: when user token is almost expired - instead of generating new security token Lucia suggesting just to extend life of existing one. I see it as a very insecure behavior: token lives forever and can be abused forever. This violates one of the security best practices of limited token lifetime.But both Lucia and "Copenhagen Book" encourages this practice [1]:```
if time.Now().After(session.expiresAt.Sub(sessionExpiresIn / 2)) {
session.ExpiresAt = time.Now().Add(
updateSessionExpiration(session.Id, session.ExpiresAt)
}

> **dector**: 很高兴看到类似主题的替代文档（例如，从更实用的角度来看，像OWASP Cheatsheet这样的东西）<p> 恕我直言，我；我对这份文件有点怀疑，原因如下：<p>-名字很浮夸。它；这是一个很好的营销技巧：把一些文件称为哥本哈根大学的一组研究人员写的。：）<p> 是的，Lucia是一个相对受欢迎的图书馆，但事实并非如此；这并不意味着它在推广最佳实践，除非有相反的证据，否则它的作者应该被视为这一重要领域的权威<p> -我不知道；我不喜欢Lucia库设计的某些方面：当用户令牌即将过期时，Lucia建议只延长现有安全令牌的寿命，而不是生成新的安全令牌。我认为这是一种非常不安全的行为：代币永远存在，可以永远被滥用。这违反了有限令牌生命周期的安全最佳实践之一<p> 但露西亚和&quot；哥本哈根书&quot；鼓励这种做法[1]：<p>```如果时间。现在（）。之后（session.expiresAt.Sub（sessionExpiresIn&#x2F））{会议。过期时间=时间。现在（）。添加(updateSessionExpiration（session.Id，session.ExpiresAt）}```<p> [1]：<a href=“https:&#x2F；thepenhagenbook.com&#sessions#session lifetime”rel=“nofollow”>https:&#x2F；thepenhagenbook.com；会话#会话生存期</a>
            
**ashton314**: Nice.<p>I recently learned about the  SRP protocol [1], and I’m surprised that it’s not more widely used&#x2F;mentioned: with a relatively simple protocol, you can do a ZKP and generate a session token between the server and client in one fell swoop.<p>[1]: <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Secure_Remote_Password_protocol" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Secure_Remote_Password_protoco...</a>
> **ashton314**: 不错<p> 我最近了解了SRP协议[1]，我很惊讶它没有得到更广泛的应用；提到：使用相对简单的协议，您可以一次性执行ZKP并在服务器和客户端之间生成会话令牌<p> [1]：<a href=“https:”en.wikipedia.org:”wiki:”Secure_Remote_Password_protocol“rel=”nofollow“>https:”&#x2F；en.wikipedia.org；维基；安全_远程_密码_协议</一