Passport.js可选的身份验证 [英] Passport.js optional authentication
问题描述
有来自Passport.js选购的认证中间件?
Is there an optional authentication middleware from Passport.js?
让我们说我有一个路径, / API /用户
。我想给只是一个用户给公众的名单,但身份验证的人,我要添加更多的字段。
Let's say I have a route, /api/users
. I want to give just a list of users to the public, but to authenticated people, I want to add more fields.
目前我只是做同样的事情哑自定义的方法,但我不知道:
Currently I have just a dumb custom method that does the same thing, but I wonder if:
- Passport.js已经提供了这样的事情或
- 我怎么能做出这样的的部分的护照,像一个插件左右。
- Passport.js already provides such thing or
- how can I make this a part of passport, like a plugin or so.
我的方法,大致,看起来像
My method, roughly, looks like
function optionalAuth(req, res, next) {
var authHeader = req.headers.authorization;
var token = parseToken(authHeader); // just getting the OAuth token here
if(!token) {
return next();
}
User.findOne({
token: token
}, function(err, user) {
if(err) {
return res.json(401, {message: 'auth expired'});
};
if(user) {
req.user = user;
}
next();
});
}
然而,这似乎是愚蠢的我,也没有护照的auth-strategies.js或其他一些身份验证层,我想应该是。更好的方式来做到这一点是什么?
This, however, seems dumb to me, and also not in passport-auth-strategies.js or some other auth layer where I think it should be. What is the better way to do it?
告诉我,如果我做回401,如果我找到一个象征,但它是无效的正确的事加分点:)
Bonus points for telling me if I'm doing the proper thing returning 401 if I find a token but it's invalid :)
推荐答案
下面是一个简单的PoC:
Here's a simple PoC:
var express = require('express');
var app = express();
var server = app.listen(3012);
var passport = require('passport');
var LocalStrategy = require('passport-local').Strategy;
app.use(passport.initialize());
passport.use(new LocalStrategy(function(username, password, done) {
if (username === 'foo' && password === 'bar') {
return done(null, { username : 'foo' });
}
return done(null, false);
}));
app.get('/api', function(req, res, next) {
passport.authenticate('local', function(err, user, info) {
var data = { hello : 'world' };
// Only if the user authenticated properly do we include secret data.
if (user) {
data.secret = '3133753CR37';
}
return res.send(data);
})(req, res, next);
});
它调用的 passport.authenticate
'手动'在 / API
端点。这样,当你跨过如何处理身份验证错误(其中,在您的情况,shouldn't被视为错误,但由于限制输出的方式)的控制。
It's calling passport.authenticate
'manually' in the /api
endpoint. That way, you get more control over how to deal with authentication error (which—in your situation—shouldn't be treated as errors but as a way of limiting the output).
下面是没有正确验证的输出:
Here's the output without proper authentication:
$ curl 'localhost:3012/api?username=foo&password=wrong'
{"hello":"world"}
和这里的:
$ curl 'localhost:3012/api?username=foo&password=bar'
{"hello":"world","secret":"3133753CR37"}
要作为一个中间件是:
var middleware = function(req, res, next) {
passport.authenticate('local', function(err, user, info) {
req.authenticated = !! user;
next();
})(req, res, next);
};
app.get('/api', middleware, function(req, res, next) {
var data = { hello : 'world' };
if (req.authenticated) {
data.secret = '3133753CR37';
}
return res.send(data);
});
这篇关于Passport.js可选的身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!