node.js 验证码

node.js 验证码

There are a variety of strategies for protecting your important online credentials.  We often hear about password managers and generators, but for me, the more important strategy is using two-factor authentication (2FA).  Passwords can be guessed, phone numbers can be spoofed, but using two-factor authentication essentially requires that user be in possession of a physical device with an app like Google Authenticator, loaded with a secret key for the given app, which provides an extra layer of security.

有多种策略可以保护您的重要在线凭据。 我们经常听到有关密码管理器和生成器的信息，但是对我来说，更重要的策略是使用两因素身份验证(2FA)。 可以猜测密码，可以欺骗电话号码，但是使用两因素身份验证本质上要求用户拥有带有Google Authenticator之类的应用的物理设备，并为给定应用加载了密钥，这提供了额外的一层安全性。

I didn't use to take two-factor authentication seriously, until someone stole my domain name and tried to launder it to a safe haven for thieved domains.  While I don't know how exactly they did it, I'm fairly certain they got access to my email address, created filters so I wouldn't see the emails, etc.  Had I used two-factor authentication, neither my email or GoDaddy accounts could have been accessed.  Or you could take it from Cody Brown who had $8,000 in cryptocurrency stolen in minutes because the vendor used phone number validation to allow transactions to be approved.  Today I use two-factor authentication for all of my important email, work, and financial accounts.

在有人偷了我的域名并试图将其洗到被盗域名的避风港之前，我从来没有认真对待过两次身份验证。 虽然我不知道他们是如何做到的，但我可以肯定地说他们可以访问我的电子邮件地址，创建了过滤器，所以我看不到电子邮件等。如果我使用了双重身份验证，那么我的电子邮件或GoDaddy帐户可能已被访问。 或者您可以从Cody Brown那里拿走，后者在几分钟之内就盗走了8,000美元的加密货币 ，因为供应商使用电话号码验证来批准交易。 今天，我对所有重要的电子邮件，工作和财务帐户都使用两因素身份验证。

Since I use 2FA so often, I wanted to see how the process is managed by a developer for its users.  That would include generating the secret key, creating its QR code representation, scanning the code into Google Authenticator (done by the user), and then validating that GA-given code against the user's key.  I found an easy to use Node.js library, speakeasy, to do so!

由于我经常使用2FA，因此我想看看开发人员如何为用户管理该过程。 这将包括生成密钥，创建其QR码表示形式，将代码扫描到Google Authenticator中(由用户完成)，然后根据用户密钥验证GA提供的代码。 我找到了一个易于使用的Node.js库， speakeasy ，来做到这一点！

Assuming you've installed speakeasy via npm install speakeasy, the two-factor authentication setup is kicked off by generating a unique secret key for the user:

假设您已通过npm install speakeasy ，则通过为用户生成唯一的密钥来启动两因素身份验证设置：

This secret key should be stored with the user's record in your database, as it will be used as a reference to validate 2FA codes in the future.

此密钥应与用户记录一起存储在数据库中，因为将来它将用作验证2FA代码的参考。

Apps like Google Authenticator allow users to scan a QR code or enter the text key.  Scanning an image is much faster so offering the QR code will be of great convenience to your user:

诸如Google Authenticator之类的应用程序允许用户扫描QR码或输入文本键。 扫描图像要快得多，因此提供QR码将为您的用户带来极大的方便：

QRCode.toDataURL provides an image data URI that you can use for the img src attribute.  If you aren't familiar with a QR code, it will look something like this:

QRCode.toDataURL提供可用于img src属性的图像数据URI 。 如果您不熟悉QR码，它将看起来像这样：

At this point the user should have opened Google Authenticator (or Authy, etc.) and scanned the QR code; an entry for your web app will be added within the device's app.  From this point forward, whenever the user wants to log in (or perform any action you'd like to be protected), your system should recognize the user wants to use 2FA and you should require they enter the token from their app.

此时，用户应该已经打开了Google Authenticator(或Authy等)并扫描了QR码； 您的网络应用程序条目将添加到设备的应用程序中。 从现在开始，每当用户想要登录(或执行您想要受到保护的任何操作)时，您的系统就应该识别出用户想要使用2FA，并且您应该要求他们从其应用程序中输入令牌。

For the purposes of debugging, you can get what should be the user code value at a given time via:

为了进行调试，您可以通过以下方式获取给定时间的用户代码值：

When your web app prompts the user for the current 2FA token, and the user provides a 6 digit token, the web app must validate that token:

当您的Web应用提示用户输入当前的2FA令牌，并且用户提供6位数字的令牌时，Web应用必须验证该令牌：

If the token matches, the user can be trusted; if the token does not match, the web app should prompt the user to try again.  Remember that Authenticator provides a new token every {x} seconds so an incorrect token shouldn't immediately raise a red flag; the token may have simply expired by the time the user submitted the form.

如果令牌匹配，则可以信任用户。 如果令牌不匹配，则Web应用程序应提示用户重试。 请记住，Authenticator每隔{x}秒提供一个新令牌，因此不正确的令牌不应立即引发危险信号。 在用户提交表单时，令牌可能已经过期。

The speakeasy developers have created a live speakeasy 2FA demo for you to play with so that you can understand the steps involved from both a user and a developer perspective.

条理清晰的开发人员已经创建了一个实时的条理易说话的2FA演示供您玩，以便您可以从用户和开发人员的角度理解其中涉及的步骤。

This post is only meant to be a brief, high level overview of implementing two-factor authentication -- please read the speakeasy documentation to get a more detailed explanation as well as learn about more specific 2FA options.  In an ideal world, two-factor authentication would be enabled by default for most logins, however it can be confusing for the majority of web users (think of the very non-technical user), so I can understand why 2FA is considered an extra security measure for now.  A big thanks to speakeasy's developers for their easy to use Node.js library, awesome documentation, and simple demo!

这篇文章仅是对实现两因素身份验证的简要概述，请阅读speakeasy文档以获取更详细的说明以及更多特定的2FA选项。 在理想情况下，默认情况下，大多数登录都会启用两因素身份验证，但是对于大多数Web用户(考虑非技术性用户)，这可能会造成混淆，因此我可以理解为什么2FA被认为是额外的目前的安全措施。 非常感谢speakeasy的开发人员易于使用的Node.js库，出色的文档和简单的演示！

翻译自: https://davidwalsh.name/2fa

node.js 验证码