路由处理中的绕过身份验证 [英] Bypassed authentication in route handling
问题描述
我已经建立了一个具有注册主页和一些需要登录的内部页面的应用程序.我使用带有Express.js的Node来设置服务器并控制路由,并且身份验证工作正常:如果我尝试访问localhost:port/clientPage,则如果我以前登录,则会得到所需的页面,否则返回错误消息.
问题是,如果我尝试访问localhost:port/clientPage. html ,即使没有活动会话,我也会获得clientPage.在这种情况下,我如何才能确保先前描述的相同(期望的)行为?我将GET路由的代码附加到clientPage:
router.get('/clientPage',函数(req,res,next){User.findById(req.session.userId).exec(function(error,user){如果(错误){返回next(错误);} 别的 {如果(使用者===空){var err = new Error('未授权!返回!');err.status = 400;返回next(err);} 别的 {返回res.sendFile(path.join(__ dirname +'/../views/clientPage.html'));}}});}); 由于该问题是由于在路由的末尾添加 .html 而导致的,而该路由以某种方式绕过了身份验证路由.我认为您很有可能
express.static(path.join(__ dirname,"views"))公开为您的文件夹提供服务.
为什么它覆盖了您的路线?
Express通过 app.use(...)依次运行中间件.语句 app.use(express.static ...)放在 app.use(//您的路由器)之前,并且响应早已解决到客户端.
使用此知识,您可以通过在路由之前放置身份验证中间件,而不是将数据库调用嵌入每个特定路由中来轻松限制其他路由.
app.use(require("./middleware/auth"));app.use("/homepage",require("./routes/homepage")));app.use("/clientPage",require("./routes/clientPage"))); I have set up an application with a registration homepage and a few internal pages requiring a login. I used Node with Express.js to set up the server and controlling the routes and authentication works fine: if I try to access localhost:port/clientPage I get the desired page if I previously logged in and an error message otherwise.
The problem is that if I try to access localhost:port/clientPage.html I get the clientPage even when I have no active session. How can I ensure the same - desired - behaviour previously described also in this case? I attach the code of my GET route to clientPage:
router.get('/clientPage', function (req, res, next) {
User.findById(req.session.userId)
.exec(function (error, user) {
if (error) {
return next(error);
} else {
if (user === null) {
var err = new Error('Not authorized! Go back!');
err.status = 400;
return next(err);
} else {
return res.sendFile(path.join(__dirname + '/../views/clientPage.html'));
}
}
});
});
Since the problem is caused by adding .html to the end of the route that somehow bypassed the authentication route. I think it is highly possible that you have
express.static(path.join(__dirname, "views") at the beginning of your application publicly serving your folder.
Why is it overriding your route?
Express is running middleware sequentially through app.use(...). The statement app.use(express.static...) is placed before app.use(// your router) and the response was resolved to client early.
Using this knowledge you can easily restrict other route by placing an authentication middleware before your route instead of embedding your database call inside each specific route.
app.use(require("./middleware/auth"));
app.use("/homepage", require("./routes/homepage"));
app.use("/clientPage", require("./routes/clientPage"));
这篇关于路由处理中的绕过身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
