如何忽略 Jsonwebtoken 中的某些请求类型
Posted
技术标签:
【中文标题】如何忽略 Jsonwebtoken 中的某些请求类型【英文标题】:How to ignore some request type in Jsonwebtoken 【发布时间】:2016-06-23 18:05:42 【问题描述】:我想忽略一些针对令牌身份验证进行检查的 API URL
我想保护 post 和 put 方法,但不想得到这个 url
localhost:3000/api/events/
router.use(function(request, response)
var token = request.body.token || request.query.token || request.headers['x-access-token'];
if (token)
jwt.verify(token, app.get(superSecret), function(err, decoded)
if (err)
return response.json(
sucess: false,
message: "Failed token Authentication"
);
else
request.decoded = decoded;
next();
);
else
return response.status(403).send(
success: false,
message: 'No token provided.'
);
);
如何在 node,express 中使用 jsonwebtoken 来做到这一点
我希望这仅适用于发布、放置、删除请求,但不适用于获取请求。
【问题讨论】:
最简单的可能是将 router.get 放在 router.use 之上,然后 router.use 将仅适用于您在 js 文件中定义的任何路由 【参考方案1】:您可以将匿名中间件移至正常声明的函数,然后将其传递给所有受保护的路由(您决定要保护的路由!)
您的代码可能如下所示:
function tokenProtection(request, response, next)
var token = request.body.token || request.query.token || request.headers['x-access-token'];
if (token)
jwt.verify(token, app.get(superSecret), function(err, decoded)
if (err)
return response.json(
sucess: false,
message: "Failed token Authentication"
);
else
request.decoded = decoded;
next();
);
else
return response.status(403).send(
success: false,
message: 'No token provided.'
);
现在您的路线可能看起来像(您决定要保护什么):
router.get('/item', function(req, res) ... ); // not protected
router.get('/item/:id', function(req, res) ... ); // not protected
router.post(tokenProtection,'/item', function(req, res) ... );//protected
router.put(tokenProtection,'/item', function(req, res) ... );//protected
router.get('/book', function(req, res) ... );// not protected
router.get('/book/:id', function(req, res) ... );// not protected
router.post(tokenProtection,'/book', function(req, res) ... );//protected
router.put(tokenProtection,'/book', function(req, res) ... );//protected
【讨论】:
感谢您的回答。但我没有尝试过这种方式。但我认为它比我的解决方案更好【参考方案2】:将您想要保护的路由放在您的身份验证路由下方,您不想保护的路由可以放在身份验证路由上方。像这样的,
// Require what will be needed
var express = require('express'),
User = require('../models/user'),
usersRouter = express.Router();
var jwt = require('jsonwebtoken'); // used to create, sign, and verify tokens
var config = require('./config'); // get our config file
var secret = superSecret: config.secret; // secret variable,
// Create a new user and return as json for POST to '/api/users'
usersRouter.post('/', function (req, res)
var user = new User(req.body);
user.save(function() //pre-save hook will be run before user gets saved. See user model.
res.json(user : user, message: "Thank You for Signing Up");
);
);
usersRouter.post('/authentication_token', function(req, res)
var password = req.body.password;
// find the user
User.findOne(
email: req.body.email
, function(err, user)
//If error in finding the user throw the error
if (err) throw err;
//If there is no error and the user is not found.
if (!user)
res.json( success: false, message: 'Authentication failed. User not found.' );
//if the user is found
else if (user)
// check if password matches
user.authenticate(password, function(isMatch)
if(isMatch)
// if user is found and password is right
// create a token with full user object. This is fine because password is hashed. JWT are not encrypted only encoded.
var token = jwt.sign(email: user.email, secret.superSecret,
expiresIn: 144000
);
// set the user token in the database
user.token = token;
user.save(function()
// return the information including token as JSON
res.json(
success: true,
id: user._id,
message: 'Enjoy your token!',
token: token
);
);
else
res.json( success: false, message: 'Authentication failed. Wrong password.' );
);
);
);
//***********************AUTHENTICATED ROUTES FOR USERS******************************
// Return ALL the users as json to GET to '/api/users'
usersRouter.get('/', function (req, res)
User.find(, function (err, users)
res.json(users);
);
);
// Export the controller
module.exports = usersRouter;
实际上我昨天在我的博客上解释了这一点,因为我一直在努力弄明白。如果还是不清楚,可以看这里,Node API Authentication with JSON Web Tokens - the right way。
如果有其他资源,比如我的情况,那就是计划。下面是我为要验证的计划放在所有路线之上的代码。
// route middleware to verify a token. This code will be put in routes before the route code is executed.
PlansController.use(function(req, res, next)
// check header or url parameters or post parameters for token
var token = req.body.token || req.query.token || req.headers['x-access-token'];
// If token is there, then decode token
if (token)
// verifies secret and checks exp
jwt.verify(token, secret.superSecret, function(err, decoded)
if (err)
return res.json( success: false, message: 'Failed to authenticate token.' );
else
// if everything is good, save to incoming request for use in other routes
req.decoded = decoded;
next();
);
else
// if there is no token
// return an error
return res.status(403).send(
success: false,
message: 'No token provided.'
);
);
//***********************AUTHENTICATED ROUTES FOR PLAN BELOW******************************
PlansController.get('/', function(req, res)
Plan.find(, function(err, plans)
res.json(plans);
);
);
【讨论】:
感谢您的回答。如果不同的路线在不同的文件中并且我正在导出所有这些路线怎么办?我在 user.js 文件中有用户路由,在 event.js 文件中有事件路由 @Rayees 现在检查更新的答案。我包括计划路线和所需的身份验证。验证码在路由之上。以上是关于如何忽略 Jsonwebtoken 中的某些请求类型的主要内容,如果未能解决你的问题,请参考以下文章