Javascript backbone.js - 处理用户是否登录
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5808655/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
backbone.js - handling if a user is logged in or not
提问by Matthew
Firstly, should the static page that is served for the app be the login page?
首先,为应用程序提供的静态页面应该是登录页面吗?
Secondly, my server side code is fine (it won't give any data that the user shouldn't be able to see). But how do I make my app know that if the user is not logged in, to go back to a login form?
其次,我的服务器端代码很好(它不会提供用户不应该看到的任何数据)。但是如何让我的应用程序知道如果用户未登录,则返回到登录表单?
采纳答案by Sam
I have a backend call that my client-side code that my static page (index.php) makes to check whether the current user is logged in. Let's say you have a backend call at api/auth/logged_inwhich returns HTTP status code 200if the user is logged in or 400otherwise (using cookie-based sessions):
我有一个后端调用,我的静态页面 (index.php) 所做的客户端代码用于检查当前用户是否登录。假设您有一个后端调用,如果用户登录,则api/auth/logged_in返回 HTTP 状态代码200或400以其他方式(使用基于 cookie 的会话):
appController.checkUser(function(isLoggedIn){
if(!isLoggedIn) {
window.location.hash = "login";
}
Backbone.history.start();
});
...
window.AppController = Backbone.Controller.extend({
checkUser: function(callback) {
var that = this;
$.ajax("api/auth/logged_in", {
type: "GET",
dataType: "json",
success: function() {
return callback(true);
},
error: function() {
return callback(false);
}
});
}
});
回答by Jens Alm
I use the session concept to control user login state.
我使用会话概念来控制用户登录状态。
I have a SessionModel and SessionCollection like this:
我有一个像这样的 SessionModel 和 SessionCollection:
SessionModel = Backbone.Model.extend({
defaults: {
sessionId: "",
userName: "",
password: "",
userId: ""
},
isAuthorized: function(){
return Boolean(this.get("sessionId"));
}
});
On app start, I initialize a globally available variable, activeSession. At start this session is unauthorized and any views binding to this model instance can render accordingly. On login attempt, I first logout by invalidating the session.
在应用程序启动时,我初始化了一个全局可用变量 activeSession。一开始这个会话是未经授权的,任何绑定到这个模型实例的视图都可以相应地呈现。在登录尝试时,我首先通过使会话无效来注销。
logout = function(){
window.activeSession.id = "";
window.activeSession.clear();
}
This will trigger any views that listen to the activeSession and will put my mainView into login mode where it will put up a login prompt. I then get the userName and password from the user and set them on the activeSession like this:
这将触发任何监听 activeSession 的视图,并将我的 mainView 置于登录模式,在那里它会显示登录提示。然后我从用户那里获取用户名和密码,并将它们设置在 activeSession 上,如下所示:
login = function(userName, password){
window.activeSession.set(
{
userName: userName,
password: password
},{
silent:true
}
);
window.activeSession.save();
}
This will trigger an update to the server through backbone.sync. On the server, I have the session resource POST action setup so that it checks the userName and password. If valid, it fills out the user details on the session, sets a unique session id and removes the password and then sends back the result.
这将通过backbone.sync 触发对服务器的更新。在服务器上,我设置了会话资源 POST 操作,以便它检查用户名和密码。如果有效,它会填写会话的用户详细信息,设置唯一的会话 ID 并删除密码,然后发回结果。
My backbone.sync is then setup to add the sessionId of window.activeSession to any outgoing request to the server. If the session Id is invalid on the server, it sends back an HTTP 401, which triggers a logout(), leading to the showing of the login prompt.
我的backbone.sync 然后被设置为将window.activeSession 的sessionId 添加到对服务器的任何传出请求。如果会话 ID 在服务器上无效,它会发回 HTTP 401,触发 logout(),导致显示登录提示。
We're not quite done implementing this yet, so there may be errors in the logic, but basically, this is how we approach it. Also, the above code is not our actual code, as it contains a little more handling logic, but it's the gist of it.
我们还没有完全实现这个,所以逻辑上可能有错误,但基本上,这就是我们处理它的方式。另外,上面的代码不是我们的实际代码,因为它包含了更多的处理逻辑,但它是它的要点。
回答by Tausif Khan
Here is a very good tutorial for it http://clintberry.com/2012/backbone-js-apps-authentication-tutorial/
这是一个非常好的教程http://clintberry.com/2012/backbone-js-apps-authentication-tutorial/
回答by Alex Yang
I think you should not only control the html display but also control the display data. Because user can use firefox to change your javascript code.
我觉得你不仅要控制html显示,还要控制显示数据。因为用户可以使用 Firefox 来更改您的 javascript 代码。
For detail, you should give user a token after he log in and every time he or she visit your component in page such as data grid or tree or something like that, the page must fetch these data (maybe in json) from your webservice, and the webservice will check this token, if the token is incorrect or past due you shouldn't give user data instead you should give a error message. So that user can't crack your security even if he or she use firebug to change js code.
有关详细信息,您应该在用户登录后给用户一个令牌,每次他或她访问页面中的组件(例如数据网格或树或类似的东西)时,页面必须从您的网络服务中获取这些数据(可能是 json),并且网络服务将检查此令牌,如果令牌不正确或过期,则不应提供用户数据,而应提供错误消息。这样即使用户使用 firebug 更改 js 代码,也无法破解您的安全性。
That might be help to you.
那可能对你有帮助。
回答by demonace
I think you should do this server sided only... There are many chances of getting it hacked unit and unless you have some sort of amazing api responding to it
我认为你应该只做这个服务器侧......除非你有某种惊人的api响应它,否则有很多机会让它被黑单元
