我是新来的角。由此键入的用户名进行比较，从JSON查询返回一个用户名我正在开发一个简单的登录表单。如果发现匹配，登录处理。

我觉得我做的方式是不是安全，我是正确的思维，返回的JSON字符串可以通过浏览器的控制台进行访问？

我将增加密码检查这个问题，以及在不久的将来，一旦我明白如何正确地去了解这一点。

我想在正确的方向指向接近用户的登录问题的角度的方式。

app.js

  angular.module（'userApp'，[ngResource]）。配置（['$ routeProvider'，函数（$ routeProvider）{    $ routeProvider。        当（'/登录'，{templateUrl：'谐音/ login.html的'，控制器：LoginCtrl}）。        当（'/的loggedIn'，{templateUrl：'谐音/用户admin.html'，控制器：UserCtrl}）。        否则（{redirectTo：'/登录'}）;}]，['$ locationProvider'，函数（$ locationProvider）{    $ locationProvider.html5Mode = TRUE;}]）。工厂（用户，函数（$资源）{    返回$资源（用户/：userId.json，{}，{        查询：{方法：GET，则params：{用户名：用户}，IsArray的：真正}    }）;}）; 

controllers.js

 函数LoginCtrl（$范围，$路径，$ routeParams，$位置，用户）{    $ scope.users = User.query（）;    $ scope.loginUser =功能（）{        VAR的loggedIn = FALSE;        VAR totalUsers = $ scope.users.length;        VAR usernameTyped = $ scope.userUsername;        对于（i = 0; I＆LT; totalUsers;我++）{            如果（$ scope.users [我]。名称=== usernameTyped）{                的loggedIn = TRUE;                打破;            }        }        如果（的loggedIn ===真）{            警报（登录成功）;            $ location.path（/的loggedIn）;        }其他{            警报（用户名不存在）        }    }} 

解决方案

是的，你是对的 - 这是不是安全的。不会做这样的事情：

从来都不是平坦的密码存储在数据库（如my_password_123从不任何类型的敏感信息返回给客户端，并在JavaScript中执行秘密计算不要使用简单的密码比较（ providedPassword ==存储的密码）的服务器或客户端code 不要使用不安全（HTTP）层 - 使用安全一（HTTPS），而不是

这样做的正确方法是如下：

生成对储存于数据库密码的散列值。请务必使用一个强大的哈希算法和盐渍的密码。在写这篇答复的时间SHA-256就足够了，但一定要检查它是否仍然认为是安全的。线SSL证书来获得HTTPS支持，没有人的方式，将窥探发送到你的服务器的用户用户输入用户名+密码，并将它们发送到服务器上的code。 在服务器您计算SHA-1散列和比较反对DB中存储的值。然后，您发送回结果验证到客户端，并保持它的轨道是持续会话的服务器上。

请记住，大部分的这些东西被一些安全框架完成的，如春季安全。我不建议一切从头做，因为安全的话题是广阔的，它很容易使可被恶意用户使用一个错误。

I'm new to Angular. I'm developing a simple login form whereby the username typed is compared to a username returned from a JSON query. If a match is found, the login is processed.

I feel the way I'm doing it isn't safe, am I right in thinking that the returned JSON string could be accessed through the browser's console?

I will be adding password check to this as well in the near future, once I understand how to properly go about this.

I would like pointing in the right direction to approach the issue of user login the Angular way.

app.js

angular.module('userApp', ["ngResource"]).

config(['$routeProvider', function($routeProvider) {
    $routeProvider.
        when('/login', {templateUrl: 'partials/login.html',   controller: LoginCtrl}).
        when('/loggedin', {templateUrl: 'partials/user-admin.html', controller: UserCtrl}).
        otherwise({redirectTo: '/login'});
}],[ '$locationProvider', function($locationProvider) {
    $locationProvider.html5Mode = true;
}]).

factory("User", function($resource) {
    return $resource("users/:userId.json", {}, {
        query: {method: "GET", params: {userId: "users"}, isArray: true}
    });
});

controllers.js

function LoginCtrl($scope, $route, $routeParams, $location, User) {
    $scope.users = User.query();
    $scope.loginUser = function() {
        var loggedin = false;
        var totalUsers = $scope.users.length;
        var usernameTyped = $scope.userUsername;

        for( i=0; i < totalUsers; i++ ) {
            if( $scope.users[i].name === usernameTyped ) {
                loggedin = true;
                break;
            }
        }

        if( loggedin === true ) {
            alert("login successful");
            $location.path("/loggedin");
        } else {
            alert("username does not exist")
        }
    }
}

解决方案

Yes, you are right - this is not safe. NEVER do such things:

NEVER store plain passwords in database (like "my_password_123" NEVER return any sort of sensitive information to the client and perform secret computations in JavaScript NEVER use simple password comparison (providedPassword == stored password) in server or client code NEVER use unsecure (http) layer - use safe one (HTTPS) instead

A proper way of doing this is following:

Generate Hashed value of password on store it in DB. Make sure to use a strong hashing algorithm and salted passwords. At the time of writing this reply SHA-256 would be enough, but make sure to check if it's still considered safe. Wire SSL certificate to get HTTPS support, that way noone will spy on what user sends to your server User enters username+password and sends them to your code on the server. On the server you compute SHA-1 hash and compare it against the stored value in DB. Then you send back the RESULT of authentication to the client and keep the track of it on the server by persistent session.

Please keep in mind that most of this stuff is done by some security frameworks, like Spring Security. I wouldn't recommend doing it all from scratch, as the topic of security is vast and it's easy to make a mistake that can be used by malicious users.