node.js 在express中进入每条路线之前如何使用中间件检查授权?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/18700729/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to use the middleware to check the authorization before entering each route in express?
提问by Noah Blues
I want to check the authorization of the users of my web app when they entered the url. But when I used an individually middleware to check the authorization, it's useless for the already existing routes, such as:
我想在我的网络应用程序用户输入 url 时检查他们的授权。但是当我使用单独的中间件来检查授权时,对于已经存在的路由是没有用的,例如:
function authChecker(req, res, next) {
if (req.session.auth) {
next();
} else {
res.redirect("/auth");
}
}
app.use(authChecker);
app.get("/", routes.index);
app.get("/foo/bar", routes.foobar);
The authCheckeris unabled to check the authority of the users who entered the two urls. It only works for the unspecified urls.
该authChecker是unabled检查谁进入两个URL的用户的权限。它仅适用于未指定的网址。
And I saw a method that I can put the authCheckerbetween the route and the route handler, such as:
我看到了一个方法,我可以将authChecker放在路由和路由处理程序之间,例如:
app.get("/", authChecker, routes.index);
But How can I achieve it in a simple way rather than putting the authChecker in every route?
但是如何以简单的方式实现它,而不是将 authChecker 放在每条路线中?
采纳答案by guydog28
As long as
只要
app.use(authChecker);
is before
是之前
app.use(app.router);
it will get called for every request. However, you will get the "too many redirects" because it is being called for ALL ROUTES, including /auth. So in order to get around this, I would suggest modifying the function to something like:
每个请求都会调用它。但是,您将收到“重定向过多”,因为它是为ALL ROUTES调用的,包括/auth。因此,为了解决这个问题,我建议将该函数修改为:
function authChecker(req, res, next) {
if (req.session.auth || req.path==='/auth') {
next();
} else {
res.redirect("/auth");
}
}
This way you won't redirect for the auth url as well.
这样你也不会重定向到 auth url。
回答by sintaxi
There are may ways to approach this problem but here is what works for me.
可能有办法解决这个问题,但这里对我有用。
I like to create an array of middleware for protected and unprotected routes and then use when necessary.
我喜欢为受保护和不受保护的路由创建一系列中间件,然后在必要时使用。
var protected = [authChecker, fetchUserObject, ...]
var unprotected = [...]
app.get("/", unprotected, function(req, res){
// display landing page
})
app.get("/dashboard", protected, function(req, res){
// display private page (if they get this far)
})
app.get("/auth", unprotected, function(req, res){
// display login form
})
app.put("/auth", unprotected, function(req, res){
// if authentication successful redirect to dashboard
// otherwise display login form again with validation errors
})
This makes it easy to extend functionality for each middleware scopes by editing the array for each type of route. It also makes the function of each route more clear because it tells us the type of route it is.
通过编辑每种类型的路由的数组,这使得扩展每个中间件范围的功能变得容易。它还使每条路线的功能更加清晰,因为它告诉我们它是什么路线。
Hope this helps.
希望这可以帮助。
回答by Peter Lyons
But when I used an individually middleware to check the authorization, it's useless for the already existing routes
但是当我使用单独的中间件来检查授权时,对于已经存在的路由是没有用的
Express will run middleware in the order added to the stack. The router is one of these middleware functions. As long as you get your authCheckerinto the stack BEFORE the router, it will be used by all routes and things will work.
Express 将按照添加到堆栈的顺序运行中间件。路由器是这些中间件功能之一。只要您authChecker在路由器之前进入堆栈,它就会被所有路由使用并且一切都会正常工作。
Most likely you have the router before authChecker because you have routes defined prior to getting your authChecker into the stack. Make sure to put all your app.usecalls before any calls to app.get, app.post, etc to avoid express's infuriating implicit injection of the router into the middleware stack.
很可能您在 authChecker 之前拥有路由器,因为您在将 authChecker 放入堆栈之前已经定义了路由。确保将所有app.use调用放在对app.get、app.post等的任何调用之前,以避免 express 将路由器隐式注入中间件堆栈中的令人恼火的行为。
