我使用护照JS,express和mongoose来制作API。当我在同一个域中测试它时,它保持会话并正常工作。但是在跨域中它失败了。任何线索如何使用相同的配置在跨域中维护会话。以下是代码
allowCrossDomain = function(req, res, next) {
res.header("Access-Control-Allow-Origin", "*");
res.header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
res.header("Access-Control-Allow-Headers", req.headers["access-control-request-headers"]);
// res.header("Access-Control-Allow-Credentials", "true");
if ("OPTIONS" == req.method) {
res.send(200);
} else {
next();
}
//allow all crossDomain request
app.use(allowCrossDomain);
//session handling
app.use(express.cookieParser("gallery"));
app.use(express.session());
app.use(passport.initialize());
app.use(passport.session());
app.use(function(req, res, next) {
// check if client sent cookie
var cookie = req.cookies.cokkieName;
if (cookie === undefined) {
//set up cookie here by a random number
});
}
next(); // <-- important!
});
passport.use(new LocalStrategy({
usernameField: "email"
},
function(email, password, done) {
User.authenticate(email, password, function(err, reply) {
//authenticate user and call the callback
return done(err, false);
});
}));
passport.serializeUser(function(user, done) {
return done(null, user._id);
});
passport.deserializeUser(function(id, done) {
//find user via id and return the user details
return done(null, user._id);
});
app.post("/login", function(req, res, next) {
passport.authenticate("local",
function(err, data, info) {
//custom callback
user.getProfile(req, res, next, err, data, info);
})(req, res, next);
});
答案 0 :(得分:12)
我遇到了同样的问题。在快速应用程序中配置任何内容之前,请使用以下(完全相同的)为跨域设置响应标头:
app.use(function(req, res, next) {
res.header('Access-Control-Allow-Credentials', true);
res.header('Access-Control-Allow-Origin', req.headers.origin);
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');
res.header('Access-Control-Allow-Headers', 'X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept');
if ('OPTIONS' == req.method) {
res.send(200);
} else {
next();
}
});
它对我有用。祝你好运!
答案 1 :(得分:4)
根据Sriharsha的回答:
设置res.header("Access-Control-Allow-Credentials", "true");
确保在客户端呼叫中传递凭据。例如,对于AJAX,请将其添加到您的通话中:xhrFields: {withCredentials: true},
<强>此外:
请勿使用带有凭证请求的Access-Control-Allow-Origin通配符
在响应凭证请求时,服务器必须指定一个 域名,不能使用野外梳理
我使用此文件,并使用require("./enable-cors.js")(app);
// enable-cors.js
module.exports = function(app) {
var methodOverride = require('method-override')
app.use(methodOverride());
var allowCrossDomain = function(req, res, next) {
res.header('Access-Control-Allow-Credentials', true);
res.header('Access-Control-Allow-Origin', req.headers.origin);
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');
res.header('Access-Control-Allow-Headers', 'Content-Type, Authorization');
// intercept OPTIONS method
if ('OPTIONS' == req.method) {
res.send(200);
}
else {
next();
}
};
app.use(allowCrossDomain);
// Built upon: http://cuppster.com/2012/04/10/cors-middleware-for-node-js-and-express/#sthash.WdJmNaRA.dpuf
};
答案 2 :(得分:2)
通过设置 Access-Control-Allow-Credentials 标头,允许共享凭据。 (我不确定你为什么评论你的代码)
res.header("Access-Control-Allow-Credentials", "true");
然后从{javascript到XHR对象pass the credentials。
xhr.withCredentials = true;