安全的方法来检查身份验证(NodeJS/Express)
问题描述:
我想确保用户通过身份验证(当登录用户获取会话时)。安全的方法来检查身份验证(NodeJS/Express)
function isAuthenticated(req, res, next) {
// do any checks you want to in here
// CHECK THE USER STORED IN SESSION FOR A CUSTOM VARIABLE
// you can do this however you want with whatever variables you set up
if (req.user.authenticated)
return next();
// IF A USER ISN'T LOGGED IN, THEN REDIRECT THEM SOMEWHERE
res.redirect('/');
}
app.get('/hello', isAuthenticated, function(req, res) {
res.send('look at me!');
});
是否有另一种(更安全)的方式来检查用户是否通过身份验证?
答
使用express-session:
https://github.com/expressjs/session
Psudo代码:
var expressSession = require('express-session');
app.use(expressSession({ secret: 'secret' }));
//...//
app.get('/',function(req,res){
if (req.session.auth === undefined || req.session.auth === false){
//handle by redirection to authentication page
}
//user is authenitcated
});
什么的'secret'选项? –
会话通过在浏览器上设置cooky来工作。无论何时浏览重新确认,它都会将该cookie发送回服务器。 secred被用作处理cookie值的散列函数的关键字 –
它是否像密码? –