Question

我尝试使用Passport在我的应用中实现摘要式身份验证，但我遇到了以下问题，无法弄清楚如何解决它。

当我卷曲我的＆＃34;受保护的网址＆＃34;如下所示，我得到了一个400 - 错误的请求响应：

    $curl --user test:123456 --digest http://localhost:3000/users

您可以在最后找到完整的卷曲请求/响应。

我尝试使用passport.authenticate的自定义回调来查看它的内容：

users.get('/', function(req, res, next) {
  passport.authenticate('digest', {session: false}, function(err, user, info) {
  console.log('Err: %s', err);
  console.log('User: %s', user);
  console.log('Info: %s', info);
})(req, res, next);
}, otherMiddleware);

结果是：

Err: null
User: false
Info: Digest realm="Users", nonce="YTFqg2z17mYU039DvuLzONN48F0q1Xmk", qop="auth"

所以我认为用户没有被正确发送，但无法弄清楚原因。

我已将护照配置为使用摘要认证，如下所示：

我试图将所有内容设置为默认选项，因此nonce和realm参数由护照设置
样本输出已在不同时间拍摄，这就是nonce值不相同的原因。
如果我将策略更改为＆＃39; basic＆＃39;它只是有效。

index.js：

// ...
var passport = require('passport);
var usersRoute = require('./routes/users');

// ...

app.use(passport.initialize());
app.use('/users', usersRoute);

users.js

var passport = require('passport'),
  DigestStrategy = require('passport-http').DigestStrategy,
  User = require('../../models/users');


passport.use(new DigestStrategy({qop: 'auth'},function(username, done) {
  User.findOne({username: username}, function (err, user) {
    if (err) {return done(err);}
    if (!user) {return done(null, false);}
    return done(null, user, user.password);
  });
}));

users.get('/', passport.authenticate('digest', {session: false}), function(req, res) {
  res.send('Hi!');
});

然后，当我尝试：

$curl --user test:123456 --digest http://localhost:3000/users

我得到了一个＆＃34; 400 - 错误请求＆＃34;响应。

我留下了curl命令的完整输出，并带有-v选项。

    Eileen :: ~ » curl -v --user test:123456 --digest http://localhost:3000/users
    * Adding handle: conn: 0x7f858b803a00
    * Adding handle: send: 0
    * Adding handle: recv: 0
    * Curl_addHandleToPipeline: length: 1
    * - Conn 0 (0x7f858b803a00) send_pipe: 1, recv_pipe: 0
    * About to connect() to localhost port 3000 (#0)
    *   Trying ::1...
    *   Trying 127.0.0.1...
    * Connected to localhost (127.0.0.1) port 3000 (#0)
    * Server auth using Digest with user 'test'
    > GET /users HTTP/1.1
    > User-Agent: curl/7.30.0
    > Host: localhost:3000
    > Accept: */*
    >
    < HTTP/1.1 401 Unauthorized
    < X-Powered-By: Express
    < WWW-Authenticate: Digest realm="Users", nonce="Ah0vZigHMrDx6SMcA3cMeaFm46RtYmv9", qop="auth"
    < Date: Wed, 18 Jun 2014 11:13:58 GMT
    < Connection: keep-alive
    < Transfer-Encoding: chunked
    <
    * Ignoring the response-body
    * Connection #0 to host localhost left intact
    * Issue another request to this URL: 'http://localhost:3000/users'
    * Found bundle for host localhost: 0x7f858b4151c0
    * Re-using existing connection! (#0) with host localhost
    * Connected to localhost (127.0.0.1) port 3000 (#0)
    * Adding handle: conn: 0x7f858b803a00
    * Adding handle: send: 0
    * Adding handle: recv: 0
    * Curl_addHandleToPipeline: length: 1
    * - Conn 0 (0x7f858b803a00) send_pipe: 1, recv_pipe: 0
    * Server auth using Digest with user 'test'
    > GET /users HTTP/1.1
    > Authorization: Digest username="test", realm="Users", nonce="Ah0vZigHMrDx6SMcA3cMeaFm46RtYmv9", uri="/users", cnonce="ICAgICAgICAgICAgICAgICAgICAgIDE0MDMyNjc5MTY=", nc=00000001, qop=auth, response="7c7d3c5bb1b8882915d3ffe1a2b0231c"
    > User-Agent: curl/7.30.0
    > Host: localhost:3000
    > Accept: */*
    >
    < HTTP/1.1 400 Bad Request
    < X-Powered-By: Express
    < Date: Wed, 18 Jun 2014 11:13:58 GMT
    < Connection: keep-alive
    < Transfer-Encoding: chunked
    <
    * Connection #0 to host localhost left intact
    Bad Request%

Answer 1

我遇到了类似的问题并且相信，在我们的两种情况下，问题是passport-http不适用于已安装的应用。

有一个打开的请求，https://github.com/jaredhanson/passport-http/pull/16，可以修复错误，如果可以通过CI构建。

解决方法是只删除Express路由器实例并传递应用程序实例以直接在应用程序对象上挂载所有端点。

对摘要式身份验证的错误请求（用户：false）

1 个答案: