在流星服务器端验证路径 [英] Authentication on Server side routes in Meteor

问题描述

什么是最好的方式（最安全和最简单的）为服务器端路线的用户进行身份验证？

What is the best way (most secure and easiest) to authenticate a user for a server side route?

我使用的是最新的铁路由器1 *和流星1 *和开始，我只是用账户密码。

I'm using the latest Iron Router 1.* and Meteor 1.* and to begin, I'm just using accounts-password.

我有呈现一个PDF屏幕一个简单的服务器端路线：

I have a simple server side route that renders a pdf to the screen:

两者/ routes.js

both/routes.js

Router.route('/pdf-server', function() {
  var filePath = process.env.PWD + "/server/.files/users/test.pdf";
  console.log(filePath);
  var fs = Npm.require('fs');
  var data = fs.readFileSync(filePath);
  this.response.write(data);
  this.response.end();
}, {where: 'server'});

作为一个例子，我想要做一些接近到什么<一个href=\"http://stackoverflow.com/questions/20219572/meteor-user-on-iron-router-server-side/20230939#20230939\">this这样，请回答提示：

在服务器上：

var Secrets = new Meteor.Collection("secrets"); 

Meteor.methods({
  getSecretKey: function () {
    if (!this.userId)
      // check if the user has privileges
      throw Meteor.Error(403);
    return Secrets.insert({_id: Random.id(), user: this.userId});
  },
});

然后在客户端code：

And then in client code:

testController.events({
  'click button[name=get-pdf]': function () {
      Meteor.call("getSecretKey", function (error, response) {
        if (error) throw error;

        if (response) 
          Router.go('/pdf-server');
      });
  }
});

但是即使我不知怎么把这个方法的工作，我还是会很容易受到用户只需像'/ PDF服务器，除非路由本身以某种方式检查了秘密收集吧？

But even if I somehow got this method working, I'd still be vulnerable to users just putting in a URL like '/pdf-server' unless the route itself somehow checked the Secrets collection right?

在路线，我能得到的请求，并以某种方式获得头信息？

In the Route, I could get the request, and somehow get the header information?

Router.route('/pdf-server', function() {
  var req = this.request;
  var res = this.response;
}, {where: 'server'});

和从客户端传递一个令牌通过HTTP标头，然后在路由的检查如果令牌是从Collection？

And from the client pass a token over the HTTP header, and then in the route check if the token is good from the Collection?

推荐答案

在除了使用URL标记，你也可以使用Cookie对方回答：

In addition to using url tokens as the other answer you could also use cookies:

在添加一些软件包，允许您设置Cookie和阅读服务器端：

Add in some packages that allow you to set cookies and read them server side:

meteor add mrt:cookies thepumpinglemma:cookies

然后，你可以有一些同步饼干与您的登录状态

Then you could have something that syncs the cookies up with your login status

客户端

Tracker.autorun(function() {
     //Update the cookie whenever they log in or out
     Cookie.set("meteor_user_id", Meteor.userId());
     Cookie.set("meteor_token", localStorage.getItem("Meteor.loginToken"));
});

服务器端

在你只需要检查这个cookie是有效的（用铁路由器）服务器端

On the server side you just need to check this cookie is valid (with iron router)

Router.route('/somepath/:fileid', function() {

   //Check the values in the cookies
   var cookies = new Cookies( this.request ),
       userId = cookies.get("meteor_user_id") || "",
       token = cookies.get("meteor_token") || "";

   //Check a valid user with this token exists
   var user = Meteor.users.findOne({
       _id: userId,
       'services.resume.loginTokens.hashedToken' : Accounts._hashLoginToken(token)
   });

   //If they're not logged in tell them
   if(!user) return this.response.end("Not allowed");

   //Theyre logged in!
   this.response.end("You're logged in!");

}, {where:'server'});

这篇关于在流星服务器端验证路径的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！