如何忽略Jsonwebtoken中的某些请求类型 [英] How to ignore some request type in Jsonwebtoken

问题描述

我想忽略一些针对令牌认证进行检查的API URL

I want to ignore some API URL of being checked against token authentication

我想保护发布和放置方法，但不想获取此URL

I want to protect post and put methods but not get of this url

localhost:3000/api/events/

localhost:3000/api/events/

router.use(function(request, response) {
    var token = request.body.token || request.query.token || request.headers['x-access-token'];
    if (token) {
        jwt.verify(token, app.get(superSecret), function(err, decoded) {
            if (err)
                return response.json({
                    sucess: false,
                    message: "Failed token Authentication"
                });
            else {
                request.decoded = decoded;
                next();
            }

        });
    } else {
        return response.status(403).send({
            success: false,
            message: 'No token provided.'
        });

    }

});

如何在node，express中使用jsonwebtoken做到这一点

How can I do this using jsonwebtoken in node,express

我希望这仅适用于发布，发布，删除请求，而不适用于获取请求.

I want this to apply to only post,put,delete requests but not on get requests.

推荐答案

将要保护的路由置于身份验证路由下方，将不希望保护的路由置于身份验证路由上方.

Put the routes you want to protect below your authentication route and the ones you do not want to protect can above the authentication route. Something like this,

    // Require what will be needed 
    var express  =  require('express'),
    User     =  require('../models/user'),
    usersRouter   =  express.Router();

    var jwt    = require('jsonwebtoken'); // used to create, sign, and verify tokens
    var config = require('./config'); // get our config file

    var secret = {superSecret: config.secret}; // secret variable,

    // Create a new user and return as json for POST to '/api/users'
    usersRouter.post('/', function (req, res) {
      var user = new User(req.body);
      user.save(function(){ //pre-save hook will be run before user gets saved. See user model.
        res.json({user : user, message: "Thank You for Signing Up"});

      });
    });

    usersRouter.post('/authentication_token', function(req, res){
      var password = req.body.password;
      // find the user
        User.findOne({
          email: req.body.email
        }, function(err, user) {
          //If error in finding the user throw the error
          if (err) throw err;
          //If there is no error and the user is not found.
          if (!user) {
            res.json({ success: false, message: 'Authentication failed. User not found.' });
            //if the user is found
          } else if (user) {
            // check if password matches
            user.authenticate(password, function(isMatch){
              if(isMatch){
                // if user is found and password is right
                // create a token with full user object. This is fine because password is hashed. JWT are not encrypted only encoded.
                var token = jwt.sign({email: user.email}, secret.superSecret, {
                  expiresIn: 144000 
                });
                // set the user token in the database
                user.token = token;
                user.save(function(){
                  // return the information including token as JSON
                  res.json({
                    success: true,
                    id: user._id,
                    message: 'Enjoy your token!',
                    token: token
                  });
                });
              } else {
                res.json({ success: false, message: 'Authentication failed. Wrong password.' });
              }
            });
          }
        });
      });

//***********************AUTHENTICATED ROUTES FOR USERS******************************

      // Return ALL the users as json to GET to '/api/users'
    usersRouter.get('/', function (req, res) {
      User.find({}, function (err, users) {
        res.json(users);
      });
    });

    // Export the controller
    module.exports = usersRouter;

实际上，我昨天在自己的博客上对此进行了解释，因为我一直在努力寻找答案.如果您仍然不清楚，可以在此处使用JSON Web令牌进行节点API身份验证-右侧方式.

I actually explained this yesterday itself on my blog because I was struggling to figure it out. If you are still not clear, you can check it out here, Node API Authentication with JSON Web Tokens - the right way.

如果还有其他资源(例如我的计划).下面是我在所有要验证的计划的所有方法上方放置的代码.

If there are other resources like in my case it was plans. Below is the code I put above all the routes for plans I wanted to authenticate.

    // route middleware to verify a token. This code will be put in routes before the route code is executed.
PlansController.use(function(req, res, next) {

  // check header or url parameters or post parameters for token
  var token = req.body.token || req.query.token || req.headers['x-access-token'];

  // If token is there, then decode token
  if (token) {

    // verifies secret and checks exp
    jwt.verify(token, secret.superSecret, function(err, decoded) {
      if (err) {
        return res.json({ success: false, message: 'Failed to authenticate token.' });
      } else {
        // if everything is good, save to incoming request for use in other routes
        req.decoded = decoded;
        next();
      }
    });

  } else {

    // if there is no token
    // return an error
    return res.status(403).send({
        success: false,
        message: 'No token provided.'
    });

  }
});
    //***********************AUTHENTICATED ROUTES FOR PLAN BELOW******************************
PlansController.get('/', function(req, res){
  Plan.find({}, function(err, plans){
  res.json(plans);
  });
});

这篇关于如何忽略Jsonwebtoken中的某些请求类型的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！