Passport Session(expressjs)的基础-为什么我们需要序列化和反序列化? [英] Basics of Passport Session (expressjs)-why do we need to serialize and deserialize?
问题描述
在护照认证中,序列化和反序列化方法的用途是什么.
我很难解决这个问题.但这就是我得到的,希望它可以节省您的时间.
您可以通过两种方式与服务器进行交互以提供对需要身份验证的受限信息的访问. 1.cookies和2.sessions
长篇幅的简短cookie是不安全的,因为它仍然留在客户端并且可以访问和操纵.
但是,当涉及会话时,会话ID(待解释)会保存在服务器中,因此是安全的选择.
使用护照中间件的过程如下:
- 已通过登录信息(用户名和密码)
- 执行护照身份验证(本地策略)以检查用户名和密码是否有效.
- 如果用户名和密码为VALID,则将返回带有Null(无错误)和USER(来自数据库)的DONE回调.
4. SERIALIZE 当身份验证有效时,将执行SERIALIZE METHOD(开始会话)(使用在该方法的定义中传递的任何参数),通常将保存User.id并在每次发送请求时对其进行验证.
passport.serializeUser(function(user,done){ 完成(null,user._id); })
在上述方法中,传递了用户对象,并将user._id作为密钥保存在服务器中. 这意味着该密钥(user.id)将用于维护会话.
这是通过将user._id保存在req.passport.session.user = {_ id:…}…中来完成的.(反序列化后说明)
5. 反序列化 序列化方法仅在身份验证之后执行一次,之后,对于后续请求,将执行DESERIALIZE方法,该方法将维护会话,在该会话中传递User.id来维护会话,如下所示. (直到浏览器打开*).
passport.deserializeUser(function(id,done){…})
用户对象在回调中返回,并作为req.user附加到请求.
认证/未认证:
您还记得App.js中的 passport.initialize中间件和 passport.session中间件吗?
对护照的初始化中间件将在每个请求上执行. 之后,passport.session中间件将在服务器上寻找序列化的用户.
如果未完成用户身份验证,则会创建一个空对象(req.session.passport.user),该对象将加载已序列化的用户.
req.session.passport.user = {}.
但是,当身份验证完成并且Passport.Authenticate在完成的回调中返回了VALID USER(用户名和密码匹配),然后
req.session.passport.user = user._id
User._id传递给req.session.passport.user
下次在后续请求中再次执行passport.initialize时,此ID将附加在会话(req.sesssion.passport.user)上.
initialize方法在会话中找到ID后,将执行反序列化方法&通过req.user将用户信息加载到请求中.
请对此答案提出建议编辑或补充. -PVTHOMAS
What is the use of serialize and deserialize methods in passport-authentication.
I had a hard time wrapping my head around it.But this is what i got, hope it saves your time.
There are two ways you could interact with the server to provide access to restricted information which requires authentication. 1.cookies and 2.sessions
Long story short- cookies are unsafe as it remains on the client side and can be accessed and manipulated.
But when it comes to sessions the session id (to be explained) gets saved in the server, thus making it a safe bet.
This is how the process goes with the passport middleware:
- Login info passed (username & password)
- Passport Authenticate(local strategy) gets executed to check if username and password is valid.
- DONE callback with Null (no error) and USER(from database) will be returned if username and password is VALID.
4.SERIALIZE When Authentication is valid SERIALIZE METHOD IS EXECUTED (to begin a session) (which uses whatever parameter is passed in the definition of the method ) usually User.id is saved and is verified each time a request is sent.
passport.serializeUser(function(user, done) { done(null, user._id); })
In the above method, user object is passed and user._id is saved as a key in the server. This means that this key(user.id) would be used to maintain the session.
This is done by saving the user._id in the req.passport.session.user ={_id : …}….(explained after Deserialize)
5.DESERIALIZE Serialize method is executed only once after authentication, and later on, for subsequent requests the DESERIALIZE METHOD gets executed which maintains the session in which the User.id is passed to maintain the session as illustrated below. ( till the browser is open*) .
passport.deserializeUser(function(id, done){…})
user object is returned in the callback and is attached to the request as req.user.
AUTHENTICATION / NO AUTHENTICATION:
Do you remember the passport.initialize middleware and the passport.session middleware in App.js
The passport.initialize middleware is executed on every request. After which the passport.session middleware would look for a serialized user on the server.
If no user authentication has been done an empty object is created (req.session.passport.user) where the serialized user would be loaded.
req.session.passport.user = {}.
But when authentication has been done and Passport.Authenticate has returned a VALID USER in the done callback (username and password match case), then
req.session.passport.user = user._id
User._id is passed to req.session.passport.user
This Id will be present attached to the session (req.sesssion.passport.user) when passport.initialize is executed the next time in subsequent requests.
After initialize method finds the id in the session it performs the deserialize method & the User information is loaded to the request through req.user .
Please do suggest edits or additions to this answer.-PVTHOMAS
这篇关于Passport Session(expressjs)的基础-为什么我们需要序列化和反序列化?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
