我正在使用用户身份验证构建应用程序,并且在使用React和Express处理JWT时遇到了问题。我正在服务器响应中设置cookie,并且可以在客户端的浏览器中看到cookie。但是,当我在req.cookies.token之后向服务器发出请求时,仍未定义。
# server/routes.js
// return authenticated user
app.get('/auth', async (req, res) => {
console.log(req.cookies.token)
})
// register user
app.post('/user', async (req, res) => {
const { name, email, password } = req.body,
hash = await bcrypt.hash(password, 10);
let user = new User({
name: name.toLowerCase(),
email: email.toLowerCase(),
password: hash,
picture: null
})
try {
let newUser = await user.save()
let token = jwt.sign({
id: newUser.id,
name: newUser.name,
picture: newUser.picture
}, config.secret)
res.status(200).cookie("token", token, {
domain: "localhost",
httpOnly: true,
secure: false
}).send('success')
} catch (error) {
console.log(error)
}
})
在服务器文件中,我正在导入和使用cookie解析器库,如下所示:
# index.js
var express = require('express')
var app = express()
var cookies = require('cookie-parser')
var bodyParser = require('body-parser')
var cors = require('cors')
var mongoose = require('mongoose')
var config = require('./config')
app.use(cookies())
app.use(cors({
origin: 'http://localhost:3000',
credentials: true
}))
app.use(bodyParser.json())
app.use(bodyParser.urlencoded({
extended: true
}))
require('./routes')(app)
此外,由于我为cookie设置了httpOnly,所以我不应该无法在客户端上看到cookie吗?我正在考虑像这样从客户端在授权标头中设置令牌
# hoc/authenticate.js
if(cookies.get('token')) {
axios.defaults.headers.common['Authorization'] = `Bearer ${cookies.get('token')}`
}
以这种方式进行身份验证是否也不能很好地扩展?就像我有1000个用户连接到我的网站一样,cookie会出现重叠问题吗?