express-jwt不遵守不受保护的路径 [英] express-jwt Not respecting unprotected paths

问题描述

express-jwt模块上的信息可以在这里找到:

Information on the express-jwt module can be found here:

• https://github.com/auth0/express-jwt
• https://www.npmjs.com/package/express-jwt

• https://github.com/auth0/express-jwt
• https://www.npmjs.com/package/express-jwt

在我的main.js服务器文件中，我具有以下内容:

In my main.js server file, I have the following:

import ExpressJwt from 'express-jwt';
// import other crap...

let token = ExpressJwt({
    secret: 'whatever',
    audience: 'whatever',
    issuer: 'whatever'
});

app.all('/apiv1', token.unless({ path: ['apiv1/user/create', '/apiv1/auth/login']}));

app.use('/apiv1/user', user);
app.use('/apiv1/auth', auth);

其中user和auth是处理我的路线的中间件.我想做的事很明显；拒绝所有未经身份验证的用户的API访问，除非他们尝试通过apiv1/user/create创建新用户和/或通过apiv1/auth/login登录.

Where user and auth are the middlewares that handle my routes. What I want to do is obvious; deny API access to all unauthenticated users, except when they attempt to create a new user via apiv1/user/create and/or login via apiv1/auth/login.

每当我尝试向上述不受保护的路径发出请求时，都会收到错误消息:

Any time I try to make a request to the aforementioned unprotected paths however, I get the error:

UnauthorizedError:未找到授权令牌

UnauthorizedError: No authorization token was found

它仍在保护我指定为不受保护的路由！我也尝试过:

It's still protecting the routes I specified to be unprotected! I also tried:

app.use('/apiv1/user', token.unless({ path: ['/apiv1/user/create'] }), user);
app.use('/apiv1/auth', token.unless({ path: ['/apiv1/auth/login'] }), auth);

但这没用.我还尝试将regex用于除非路径，但这也不起作用.

But that didn't work. I also tried using regex for the unless paths, but that didn't work either.

我通过到达此路线 ，但该解决方案无法为我提供所需的功能.

I arrived at app.all('/apiv1', token...) via this answer, but that solution does not yield me the desired functionality.

推荐答案

代替使用all:

app.all('/apiv1', token.unless({ path: ['apiv1/user/create', '/apiv1/auth/login']}));

尝试使用use，并在路径路由的开头添加斜线/:

Try using use and adding in the path route a slash / at the beginning:

app.use('/apiv1', token.unless({ path: ['/apiv1/user/create', '/apiv1/auth/login']}));

---

这是一个有效的示例:

---

Here it is an example that is working:

app.js:

var express = require('express');
var app = express();

var expressJwt = require('express-jwt');
var jwt = require('jsonwebtoken');
var secret = 'secret';

app.use('/api', expressJwt({secret: secret}).unless({path: ['/api/token']}));

app.get('/api/token', function(req, res) {
  var token = jwt.sign({foo: 'bar'}, secret);
  res.send({token: token});
});

app.get('/api/protected', function(req, res) {
  res.send('hello from /api/protected route.');
});

app.use(function(err, req, res, next) {
  res.status(err.status || 500).send(err);
});

app.listen(4040, function() {
  console.log('server up and running at 4040 port');
});

module.exports = app;

---

test.js:

var request = require('supertest');
var app = require('./app.js');

describe('Test API', function() {
  var token = '';

  before(function(done) {
    request(app)
      .get('/api/token')
      .end(function(err, response) {
        if (err) { return done(err); }
        var result = JSON.parse(response.text);
        token = result.token;
        done();
      });
  });

  it('should not be able to consume /api/protected since no token was sent', function(done) {
    request(app)
      .get('/api/protected')
      .expect(401, done);
  });

  it('should be able to consume /api/protected since token was sent', function(done) {
    request(app)
      .get('/api/protected')
      .set('Authorization', 'Bearer ' + token)
      .expect(200, done);
  });
});

这篇关于express-jwt不遵守不受保护的路径的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！