我正在尝试护照库来验证api请求。首先,我使用express框架创建了一个NodeJS应用程序。该项目包含一些服务于某些数据的api。在公共文件夹中,它包含具有用户名和密码字段的index.html页面。
的index.html
<form action="/login" method="post">
<div>
<label>Username:</label>
<input type="text" name="name"/>
</div>
<div>
<label>Password:</label>
<input type="password" name="password"/>
</div>
<div>
<input type="submit" value="Log In"/>
</div>
</form>
创建一个 server.ts ,创建一个http服务器并侦听某个端口并使用express框架创建apis。
Server.ts
let userList: User[] = [new User(1, "Sunil"), new User(2, "Sukhi")];
let app = express();
// passport library
let passport = require('passport');
let LocalStrategy = require('passport-local').Strategy;
// middlewares
app.use(express.static("public"));
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: false }));
app.use(session({ resave: false, saveUninitialized: true, secret: "secretKey123!!" }));
// passport middleware invoked on every request to ensure session contains passport.user object
app.use(passport.initialize());
// load seriliazed session user object to req.user
app.use(passport.session());
// Only during the authentication to specify what user information should be stored in the session.
passport.serializeUser(function (user, done) {
console.log("Serializer : ", user)
done(null, user.userId);
});
// Invoked on every request by passport.session
passport.deserializeUser(function (userId, done) {
let user = userList.filter(user => userId === user.userId);
console.log("D-serializer : ", user);
// only pass if user exist in the session
if (user.length) {
done(null, user[0]);
}
});
// passport strategy : Only invoked on the route which uses the passport.authenticate middleware.
passport.use(new LocalStrategy({
usernameField: 'name',
passwordField: 'password'
},
function (username, password, done) {
console.log("Strategy : Authenticating if user is valid :", username)
let user = userList.filter(user => username === user.userName)
if (!user) {
return done(null, false, { message: 'Incorrect username.' });
}
return done(null, user);
}
));
app.post('/login', passport.authenticate('local', {
successRedirect: '/done',
failureRedirect: '/login'
}));
app.get('/done', function (req, res) {
console.log("Done")
res.send("done")
})
app.get('/login', function (req, res) {
console.log("login")
res.send("login")
})
// http server creation
let server = http.createServer(app);
server.listen(7000, () => {
console.log('Up and running on port 7000');
});
现在当我点击 localhost:7000 时,它会打开登录页面,当我点击使用userList的用户名提交时,它会返回完成否则登录。这可以。
现在每个电话都通过deserializeUser方法。
问题是当我直接调用其他URL而没有点击/登录(验证用户)时,它们也能正常工作并返回数据。
我原以为如果请求未经过身份验证,则所有其他呼叫都将失败,因为deserializeUser正在拦截每个请求,但在这种情况下,不会调用任何护照方法。
这是如何运作的?或者我错过了什么?
答案 0 :(得分:2)
您需要添加中间件,以检查您的用户是否经过身份验证:
isAuthenticated = (req, res, next) => {
if (req.isAuthenticated()) {
//if user is logged in, req.isAuthenticated() will return true
return next();
}
res.redirect('/login');
};
你必须使用那样的中间件:
//if user not authenticated, he will be redirect on /login
app.get('/done', isAuthenticated, (req, res) => {
res.send("done")
});
答案 1 :(得分:0)
我缺少中间件来验证所有后续请求。所以我创建了isAuthenticated方法(感谢@Sombrero)。
// request interceptor that will check user authentication
private static isAuthenticated = (req, res, next) => {
console.log("Authenticating :", req.originalUrl)
if (req.isAuthenticated()) {
return next();
}
res.redirect('/login');
};
然后在每个请求中
app.get('/done', isAuthenticated, (req, res) => {
res.send("done")
});
但是在每个请求中使用isAuthenticated方法很难。所以我创建了一个公共的API列表数组,并添加了中间件来拦截每个请求,更新了isAuthenticated方法来忽略公共apis
// list of apis for which authentication is not required
private static publicApiList: string[] = ["/login"];
// request interceptor that will check user authentication
private static isAuthenticated = (req, res, next) => {
console.log("Authenticating :", req.originalUrl)
if (req.isAuthenticated() || Server.publicApiList.indexOf(req.originalUrl) > -1) {
return next();
}
res.redirect('/login');
};
然后将此方法用作中间件
app.use(Server.isAuthenticated)