nodejs 护照身份验证令牌
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/17397052/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
nodejs passport authentication token
提问by Austin
I am writing a nodejs application that I would like to use as both a web application, as well as an API provider. Once a user is authenticated, I want to assign that user a token to be used for subsequent requests. This works great with passport for the web application, as I just serialize and deserialize the user with the token in the session. However, when responding to API requests, there is no cookie to set to store the session information. Ideally, passport would look for the token both in session and the request body. Is there any way to configure passport to accomplish this?
我正在编写一个 nodejs 应用程序,我想将它用作 Web 应用程序和 API 提供程序。一旦用户通过身份验证,我想为该用户分配一个令牌以用于后续请求。这对 Web 应用程序的通行证非常有效,因为我只是在会话中使用令牌序列化和反序列化用户。但是,在响应 API 请求时,没有设置 cookie 来存储会话信息。理想情况下,passport 会在会话和请求正文中查找令牌。有没有办法配置护照来实现这一点?
回答by bnuhero
Simply use the access token on every request. Using a session is NOT needed. The following is the workflow:
只需在每个请求上使用访问令牌。不需要使用会话。以下是工作流程:
POST /signin
- The username and password are posted in the client request.
- The server authenticates the user by using passport's Local Strategy. See passport-local.
- If the credentials represent a valid user, the server returns the access token generated by some generator. node-jwt-simpleis a good choice.
- If the credentials are invalid, redirect to
/signin.
- 用户名和密码发布在客户端请求中。
- 服务器使用通行证的本地策略对用户进行身份验证。请参阅本地护照。
- 如果凭据代表有效用户,则服务器返回由某个生成器生成的访问令牌。node-jwt-simple是一个不错的选择。
- 如果凭据无效,则重定向到
/signin.
When the client receives the access token from the authorization server, it can then make requests to protected resources on the server. For example:
当客户端从授权服务器收到访问令牌时,它可以向服务器上的受保护资源发出请求。例如:
GET /api/v1/somefunction?token='abcedf'
GET /api/v1/somefunction?token='abcedf'
- The client calls some server api with the token argument.
- The server authenticates the token by using passport's Bearer Strategy. See passport-http-bearer.
- 客户端使用令牌参数调用一些服务器 api。
- 服务器通过使用护照的承载策略来验证令牌。请参阅passport-http-bearer。
References
参考
Make a secure oauth API with passport.js and express.js (node.js)
回答by Rob
As bnuhero mentions you don't need sessions (although that approach has its merits too). Here's a boiler-plate project that I'm starting for this: https://github.com/roblevintennis/passport-api-tokens
正如 bnuhero 提到的,您不需要会话(尽管这种方法也有其优点)。这是我为此开始的样板项目:https: //github.com/roblevintennis/passport-api-tokens
Here's an alternative and easy to follow tut (but it DOES use sessions). Might be a nice cross-reference: http://scotch.io/tutorials/javascript/easy-node-authentication-setup-and-local
这是一种替代方法并且易于遵循(但它确实使用会话)。可能是一个不错的交叉参考:http: //scotch.io/tutorials/javascript/easy-node-authentication-setup-and-local
And one more reference related: http://mherman.org/blog/2013/11/11/user-authentication-with-passport-dot-js/
还有一个相关的参考:http: //mherman.org/blog/2013/11/11/user-authentication-with-passport-dot-js/
回答by Anuj Kumar
You can use isAuthenticated() method in passport in nodejs. On every route you can make a check if(req.isAuthenticated()) and if it is already authenticated it will allow you to access the route or you can redirect or perform any other any other execution in else block. In Passport you can return done(null, user) for successful login and it will store the data in the cookie until the session is ended. in user you can information about the user like email, password.
您可以在 nodejs 的护照中使用 isAuthenticated() 方法。在每条路线上,您都可以检查 if(req.isAuthenticated()) 并且如果它已经过身份验证,它将允许您访问该路线,或者您可以在 else 块中重定向或执行任何其他任何其他执行。在 Passport 中,您可以返回 done(null, user) 以成功登录,它会将数据存储在 cookie 中,直到会话结束。在用户中,您可以了解有关用户的信息,例如电子邮件、密码。
app.get('/home', (req, res) =>{
if(req.isAuthenticated()){
//render home page
} else {
// go back to the login page or throw soome error
}
})
