NodeJS + Express:如何保护 URL
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/12276046/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
NodeJS + Express: How to secure a URL
提问by Fabio B.
I am using latest versions of NodeJS and ExpressJS (for MVC).
我正在使用最新版本的 NodeJS 和 ExpressJS(用于 MVC)。
I usually configure my rest paths like this, for example:
我通常像这样配置我的休息路径,例如:
app.get('/archive', routes.archive);
Now i want my /admin/*set of URLs to be secured, I mean I need just simple authentication, it's just a draft.
现在我希望我的一/admin/*组 URL 是安全的,我的意思是我只需要简单的身份验证,这只是一个草稿。
When a user tries to access, for example, /admin/posts, before sending him the corresponding view and data, I check for a req.session.authenticated. If it's not defined, I redirect to the login page.
例如,当用户尝试访问时,/admin/posts在向他发送相应的视图和数据之前,我会检查 req.session.authenticated。如果未定义,我将重定向到登录页面。
Login page has a simple validation form, and a sign-in controller method: if user does send "right user" and "right password" I set the session variable and he's authenticated.
登录页面有一个简单的验证表单和一个登录控制器方法:如果用户确实发送了“正确的用户”和“正确的密码”,我会设置会话变量并且他通过了身份验证。
What I find difficult, or I don't understand, is how to actually make the "filter"code, I mean, the auth check, before every /admin/* path call.
我觉得困难,或者我不明白,是如何在每个 /admin/* 路径调用之前实际制作“过滤器”代码,我的意思是,身份验证检查。
Does this have something to do with "middleware" express functions?
这与“中间件”表达功能有关吗?
Thank you
谢谢
回答by Michelle Tilley
Yep, middleware is exactly what you want. A middleware function is just a function that works just like any other Express route handler, expept it gets run before your actual route handler. You could, for example, do something like this:
是的,中间件正是您想要的。中间件函数只是一个与任何其他 Express 路由处理程序一样工作的函数,期望它在您的实际路由处理程序之前运行。例如,您可以执行以下操作:
function requireLogin(req, res, next) {
if (req.session.loggedIn) {
next(); // allow the next route to run
} else {
// require the user to log in
res.redirect("/login"); // or render a form, etc.
}
}
// Automatically apply the `requireLogin` middleware to all
// routes starting with `/admin`
app.all("/admin/*", requireLogin, function(req, res, next) {
next(); // if the middleware allowed us to get here,
// just move on to the next route handler
});
app.get("/admin/posts", function(req, res) {
// if we got here, the `app.all` call above has already
// ensured that the user is logged in
});
You could specify requireLoginas a middleware to eachof the routes you want to be protected, instead of using the app.allcall with /admin/*, but doing it the way I show here ensures that you can't accidentally forget to add it to any page that starts with /admin.
您可以将要保护的每个路由指定requireLogin为中间件,而不是使用with 调用,但是按照我在此处显示的方式进行操作可确保您不会意外忘记将其添加到任何以.app.all/admin/*/admin
回答by David Gatti
A even simpler approach would be to add the following code in the App.js file.
更简单的方法是在 App.js 文件中添加以下代码。
var auth = function(req, res, next) {
if(isAdmin) {
return next();
} else {
return res.status(400)
}
};
app.use('/admin', auth, apiDecrement);
As you can see the middleware is being attached to the route. Before ExpressJS goes forward, it executes the function that you passed as the second parameter.
如您所见,中间件已附加到路由上。在 ExpressJS 继续之前,它会执行您作为第二个参数传递的函数。
With this solution you can make different checks before displaying the site to the end user.
使用此解决方案,您可以在向最终用户显示站点之前进行不同的检查。
Best.
最好的事物。
回答by Jonathan Ong
Like brandon, but you can also go the connectroute
像布兰登,但你也可以走这connect条路
app.use('/admin', requireLogin)
app.use(app.router)
app.get('/admin/posts', /* middleware */)
