memos icon indicating copy to clipboard operation
memos copied to clipboard

Published 20 hours ago verified publisher icon usememos

memos是否可以增强安全性

Open mossexplore opened this issue 1 year ago • 10 comments

Is your feature request related to a problem?

1、memos当前用户登录只有用户名和密码,是否可以加个登录验证码验证,或者Authenticator验证器,防止暴力破解,增强系统安全性 2、当前api无鉴权便可直接访问,从接口角度考虑,是否可以添加api的ak和sk访问机制?按照当前的使用方式,任何人可以调用接口写内容,完全可以整垮系统

Describe the solution you'd like

1、登录有验证机制 2、api有签名机制

Additional context

No response

mossexplore avatar Mar 16 '23 09:03 mossexplore

Issue is not in English. It has been translated automatically.

Title: memos enhance security

Issues-translate-bot avatar Mar 16 '23 09:03 Issues-translate-bot

同意

z80sui avatar Mar 16 '23 15:03 z80sui

Issue is not in English. It has been translated automatically.

agree

Issues-translate-bot avatar Mar 16 '23 15:03 Issues-translate-bot

是否可以加个登录验证码验证,或者Authenticator验证器,防止暴力破解,增强系统安全性

已经在 roadmap 里了

api 无鉴权便可直接访问

应该是有鉴权相关的逻辑,具体是哪个 api 不需鉴权就能写内容?

boojack avatar Mar 17 '23 00:03 boojack

Issue is not in English. It has been translated automatically.

Is it possible to add a login verification code verification, or an Authenticator verifier to prevent brute force cracking and enhance system security

Already in the roadmap

API can be directly accessed without authentication

There should be logic related to authentication. Specifically, which API can write content without authentication?

Issues-translate-bot avatar Mar 17 '23 00:03 Issues-translate-bot

是否可以加个登录验证码验证,或者Authenticator验证器,防止暴力破解,增强系统安全性

已经在 roadmap 里了

api 无鉴权便可直接访问

应该是有鉴权相关的逻辑,具体是哪个 api 不需鉴权就能写内容?

我的账号中的Open Api: POST https://XXXXXX/api/memo?openId=XXXXXXXXXX Content-type: application/json { "content": "Hello #memos from XXXXXXXXXX" }

mossexplore avatar Mar 17 '23 01:03 mossexplore

我的账号中的Open Api: POST https://xxxxxx/api/memo?openId=XXXXXXXXXX

没有 openId 或者错误的 openId 是不能通过这个 API 创建 memo 的。你说的“不需鉴权”指的是?

boojack avatar Mar 17 '23 12:03 boojack

Issue is not in English. It has been translated automatically.

Open Api in my account: POST https://xxxxxx/api/memo?openId=XXXXXXXXXX

Memo cannot be created through this API without openId or wrong openId. What do you mean by "no authentication required"?

Issues-translate-bot avatar Mar 17 '23 12:03 Issues-translate-bot

我的账号中的Open Api: POST https://xxxxxx/api/memo?openId=XXXXXXXXXX

没有 openId 或者错误的 openId 是不能通过这个 API 创建 memo 的。你说的“不需鉴权”指的是?

是的,尽管这个id是个uuid,但是从接口角度看没AK和SK认证安全

mossexplore avatar Mar 20 '23 13:03 mossexplore

Issue is not in English. It has been translated automatically.

Open Api in my account: POST https://xxxxxx/api/memo?openId=XXXXXXXXXX

It is not possible to create a memo through this API without openId or wrong openId. What do you mean by "no authentication required"?

Yes, although this id is a uuid, it is not as secure as AK and SK authentication from the interface point of view

Issues-translate-bot avatar Mar 20 '23 13:03 Issues-translate-bot

以 UUID 作为令牌足以防止暴力破解,在考虑被成功暴力破解出正确的 UUID 以前,你得先考虑你服务器受到这个量级(以 UUID 4 变体 1 可能性 2^122 算,每秒一百万请求并持续 1.68*10^22 年)的 DDoS 攻击能否承受得住。

Cologler avatar Dec 11 '23 18:12 Cologler

Issue is not in English. It has been translated automatically.

Using UUID as a token is enough to prevent brute force cracking. Before considering being successfully brute force cracked to get the correct UUID, you must first consider that your server is affected by this magnitude (based on UUID 4 variant 1 possibility 2^122, one hundred times per second Can it withstand a DDoS attack that reaches 10,000 requests and lasts for 1.68*10^22 years?

Issues-translate-bot avatar Dec 11 '23 18:12 Issues-translate-bot