在流星服务器端验证路径 [英] Authentication on Server side routes in Meteor
问题描述
什么是最好的方式(最安全和最简单的)为服务器端路线的用户进行身份验证?
What is the best way (most secure and easiest) to authenticate a user for a server side route?
我使用的是最新的铁路由器1 *和流星1 *和开始,我只是用账户密码。
I'm using the latest Iron Router 1.* and Meteor 1.* and to begin, I'm just using accounts-password.
我有呈现一个PDF屏幕一个简单的服务器端路线:
I have a simple server side route that renders a pdf to the screen:
两者/ routes.js
both/routes.js
Router.route('/pdf-server', function() {
var filePath = process.env.PWD + "/server/.files/users/test.pdf";
console.log(filePath);
var fs = Npm.require('fs');
var data = fs.readFileSync(filePath);
this.response.write(data);
this.response.end();
}, {where: 'server'});
作为一个例子,我想要做一些接近到什么<一个href=\"http://stackoverflow.com/questions/20219572/meteor-user-on-iron-router-server-side/20230939#20230939\">this这样,请回答提示:
在服务器上:
var Secrets = new Meteor.Collection("secrets");
Meteor.methods({
getSecretKey: function () {
if (!this.userId)
// check if the user has privileges
throw Meteor.Error(403);
return Secrets.insert({_id: Random.id(), user: this.userId});
},
});
然后在客户端code:
And then in client code:
testController.events({
'click button[name=get-pdf]': function () {
Meteor.call("getSecretKey", function (error, response) {
if (error) throw error;
if (response)
Router.go('/pdf-server');
});
}
});
但是即使我不知怎么把这个方法的工作,我还是会很容易受到用户只需像'/ PDF服务器,除非路由本身以某种方式检查了秘密收集吧?
But even if I somehow got this method working, I'd still be vulnerable to users just putting in a URL like '/pdf-server' unless the route itself somehow checked the Secrets collection right?
在路线,我能得到的请求,并以某种方式获得头信息?
In the Route, I could get the request, and somehow get the header information?
Router.route('/pdf-server', function() {
var req = this.request;
var res = this.response;
}, {where: 'server'});
和从客户端传递一个令牌通过HTTP标头,然后在路由的检查如果令牌是从Collection?
And from the client pass a token over the HTTP header, and then in the route check if the token is good from the Collection?
推荐答案
在除了使用URL标记,你也可以使用Cookie对方回答:
In addition to using url tokens as the other answer you could also use cookies:
在添加一些软件包,允许您设置Cookie和阅读服务器端:
Add in some packages that allow you to set cookies and read them server side:
meteor add mrt:cookies thepumpinglemma:cookies
然后,你可以有一些同步饼干与您的登录状态
Then you could have something that syncs the cookies up with your login status
客户端
Tracker.autorun(function() {
//Update the cookie whenever they log in or out
Cookie.set("meteor_user_id", Meteor.userId());
Cookie.set("meteor_token", localStorage.getItem("Meteor.loginToken"));
});
服务器端
在你只需要检查这个cookie是有效的(用铁路由器)服务器端
On the server side you just need to check this cookie is valid (with iron router)
Router.route('/somepath/:fileid', function() {
//Check the values in the cookies
var cookies = new Cookies( this.request ),
userId = cookies.get("meteor_user_id") || "",
token = cookies.get("meteor_token") || "";
//Check a valid user with this token exists
var user = Meteor.users.findOne({
_id: userId,
'services.resume.loginTokens.hashedToken' : Accounts._hashLoginToken(token)
});
//If they're not logged in tell them
if(!user) return this.response.end("Not allowed");
//Theyre logged in!
this.response.end("You're logged in!");
}, {where:'server'});
这篇关于在流星服务器端验证路径的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!