Skip to content

OAuth 加密

¥OAuth Encryption

加密存储在数据库中的敏感登录密钥,例如登录服务的应用密钥和用户的访问令牌。

¥Encrypts sensitive login secrets stored in the database such as a login service's application secret key and users' access tokens.

生成密钥

¥Generating a Key

加密密钥为 16 个字节,以 Base64 编码。

¥The encryption key is 16 bytes, encoded in Base64.

要生成密钥:

¥To generate a key:

bash
$ meteor node -e 'console.log(require("crypto").randomBytes(16).toString("base64"))'

使用带有账户的 oauth-encryption

¥Using oauth-encryption with accounts

仅在服务器上,使用 oauthSecretKey 选项到 Accounts.config

¥On the server only, use the oauthSecretKey option to Accounts.config:

js
Accounts.config({ oauthSecretKey: 'onsqJ+1e4iGFlV0nhZYobg==' });

Accounts.config 的调用应在加载时进行(放置在源文件的顶层),而不是从 Meteor.startup 块内部调用。

¥This call to Accounts.config should be made at load time (place at the top level of your source file), not called from inside of a Meteor.startup block.

为了避免将密钥存储在应用的源代码中,你可以使用 Meteor.settings

¥To avoid storing the secret key in your application's source code, you can use Meteor.settings:

js
Accounts.config({ oauthSecretKey: Meteor.settings.oauthSecretKey });

迁移未加密的用户令牌

¥Migrating unencrypted user tokens

此 Twitter 示例展示了如何加密现有的未加密用户令牌。查询查找具有 Twitter 访问令牌但没有加密令牌时创建的 algorithm 字段的用户文档。中的相关字段然后加密服务数据。

¥This example for Twitter shows how existing unencrypted user tokens can be encrypted. The query finds user documents which have a Twitter access token but not the algorithm field which is created when the token is encrypted. The relevant fields in the service data are then encrypted.

js
const cursor = Meteor.users.find({
  $and: [
    { 'services.twitter.accessToken': { $exists: true } },
    { 'services.twitter.accessToken.algorithm': { $exists: false } }
  ]
});

cursor.forEach((userDoc) => {
  const set = {};

  ['accessToken', 'accessTokenSecret', 'refreshToken'].forEach((field) => {
    const plaintext = userDoc.services.twitter[field];

    if (!_.isString(plaintext)) {
      return;
    }

    set[`services.twitter.${field}`] = OAuthEncryption.seal(
      plaintext,
      userDoc._id
    );
  });

  Meteor.users.update(userDoc._id, { $set: set });
});

使用没有账户的 oauth-encryption

¥Using oauth-encryption without accounts

如果你直接使用 oauth 包而不是通过 Meteor 账户包,则可以使用 OAuthEncryption.loadKey 直接加载 OAuth 加密密钥:

¥If you're using the oauth packages directly instead of through the Meteor accounts packages, you can load the OAuth encryption key directly using OAuthEncryption.loadKey:

js
OAuthEncryption.loadKey('onsqJ+1e4iGFlV0nhZYobg==');

如果你在流程中调用 retrieveCredential(例如 Twitter.retrieveCredential),你会发现在使用 oauth-encryption 时,敏感的服务数据字段将被加密。

¥If you call retrieveCredential (such as Twitter.retrieveCredential) as part of your process, you'll find when using oauth-encryption that the sensitive service data fields will be encrypted.

你可以使用 OAuth.openSecrets 解密它们:

¥You can decrypt them using OAuth.openSecrets:

js
const credentials = Twitter.retrieveCredential(token);
const serviceData = OAuth.openSecrets(credentials.serviceData);

在 Windows 上使用 oauth-encryption

¥Using oauth-encryption on Windows

此软件包依赖于 npm-node-aes-gcm,这要求你在系统上安装 OpenSSL 才能运行。要在 Windows 上安装 OpenSSL,请使用 此页面 上的二进制文件之一。如果你还没有安装 Visual Studio 2008 可再发行组件,请不要忘记安装。

¥This package depends on npm-node-aes-gcm, which requires you to have OpenSSL installed on your system to run. To install OpenSSL on Windows, use one of the binaries on this page. Don't forget to install the Visual Studio 2008 redistributables if you don't have them yet.