Passport.js可选的身份验证 [英] Passport.js optional authentication

问题描述

有来自Passport.js选购的认证中间件？

Is there an optional authentication middleware from Passport.js?

让我们说我有一个路径， / API /用户。我想给只是一个用户给公众的名单，但身份验证的人，我要添加更多的字段。

Let's say I have a route, /api/users. I want to give just a list of users to the public, but to authenticated people, I want to add more fields.

目前我只是做同样的事情哑自定义的方法，但我不知道：

Currently I have just a dumb custom method that does the same thing, but I wonder if:

• Passport.js已经提供了这样的事情或


• 我怎么能做出这样的的部分的护照，像一个插件左右。

• Passport.js already provides such thing or
• how can I make this a part of passport, like a plugin or so.

我的方法，大致，看起来像

My method, roughly, looks like

function optionalAuth(req, res, next) {

    var authHeader = req.headers.authorization;
    var token = parseToken(authHeader); // just getting the OAuth token here
    if(!token) {

        return next();
    }
    User.findOne({
        token: token
    }, function(err, user) {

        if(err) {
            return res.json(401, {message: 'auth expired'});
        };
        if(user) {
            req.user = user;
        }
        next();
    });
}

然而，这似乎是愚蠢的我，也没有护照的auth-strategies.js或其他一些身份验证层，我想应该是。更好的方式来做到这一点是什么？

This, however, seems dumb to me, and also not in passport-auth-strategies.js or some other auth layer where I think it should be. What is the better way to do it?

告诉我，如果我做回401，如果我找到一个象征，但它是无效的正确的事加分点：）

Bonus points for telling me if I'm doing the proper thing returning 401 if I find a token but it's invalid :)

推荐答案

下面是一个简单的PoC：

Here's a simple PoC:

var express       = require('express');
var app           = express();
var server        = app.listen(3012);
var passport      = require('passport');
var LocalStrategy = require('passport-local').Strategy;

app.use(passport.initialize());

passport.use(new LocalStrategy(function(username, password, done) {
  if (username === 'foo' && password === 'bar') {
    return done(null, { username : 'foo' });
  }
  return done(null, false);
}));

app.get('/api', function(req, res, next) {
  passport.authenticate('local', function(err, user, info) {
    var data = { hello : 'world' };
    // Only if the user authenticated properly do we include secret data.
    if (user) {
      data.secret = '3133753CR37';
    }
    return res.send(data);
  })(req, res, next);
});

它调用的 passport.authenticate '手动'在 / API 端点。这样，当你跨过如何处理身份验证错误（其中，在您的情况，shouldn't被视为错误，但由于限制输出的方式）的控制。

It's calling passport.authenticate 'manually' in the /api endpoint. That way, you get more control over how to deal with authentication error (which—in your situation—shouldn't be treated as errors but as a way of limiting the output).

下面是没有正确验证的输出：

Here's the output without proper authentication:

$ curl 'localhost:3012/api?username=foo&password=wrong'
{"hello":"world"}

和这里的：

$ curl 'localhost:3012/api?username=foo&password=bar'
{"hello":"world","secret":"3133753CR37"}

要作为一个中间件是：

var middleware = function(req, res, next) {
  passport.authenticate('local', function(err, user, info) {
    req.authenticated = !! user;
    next();
  })(req, res, next);
};

app.get('/api', middleware, function(req, res, next) {
  var data = { hello : 'world' };
  if (req.authenticated) {
    data.secret = '3133753CR37';
  }
  return res.send(data);
});

这篇关于Passport.js可选的身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！