如何正确使用Passport.js? [英] How to properly use Passport.js?
问题描述
我正在使用:
- Node.js
- Express 4.0
- Passport.js
- Google OAuth 2进行身份验证
- Node.js
- Express 4.0
- Passport.js
- Google OAuth 2 for Authentication
用户,我存储在一个MySQL数据库(我没有关于这项技术的选择)的一些信息来自他的谷歌档案(电子邮件等...),访问&刷新令牌,以及用户在我的应用程序上注册时提供的附加信息。
For each user, I store in a MySQL DB (I don't have the choice regarding this technology) some info from his Google Profile (email etc...), access & refresh tokens, and also additionnal info that the user provides when he registers on my app.
我看过passport.js的不同用法,特别是关于如何存储该信息在会话中。
I have seen different uses of passport.js, specifically regarding how that info is stored in session.
-
在 passport.js配置
页面,我真的没有
了解以下代码块的要点:
On passport.js's configure page, I don't really understand the point of the following block of code :
passport.deserializeUser(function(id, done) {
User.findById(id, function(err, user) {
done(err, user);
});
});
基本上,每次用户发出请求或访问某个页面时,都会向数据库发出请求并检索信息。有什么意义?它减慢了应用程序的速度。调用 serializeUser 时,是否应该检索数据库中的信息(即,当信息存储在会话中时)?
Basically, each time the user makes a request, or visits a page, there's a request to the DB and information is retrieved. What is the point ? It slows the app a lot. Shouldn't the info from the DB be retrieved when serializeUser is called (ie. when the info is stored in session) ?
我已经读过在 session 中存储太多信息会减慢
应用的速度。什么是太多?应用程序会减慢多少钱?
有人知道某处是否有测试?我的应用程序的页面需要一个
不同的关于我的用户的数据集(例如,主页将
只需要他的名字,而个人资料页面将需要一切,
另一个页面将需要知道什么他拥有的汽车等......)。当$ passport.authenticate 检查
时,我应该将
存储在 session 中的所有信息存在于DB中(因此将对DB
的读取请求限制为大约一个),或者只在会话中存储他的id并让我的
页面在必要时向DB发出附加请求?
I have read that storing too much info in session can slow the
app. What is "too much" ? How much will it slow the app ? Does
someone know if there are tests somewhere ? My app's pages require a
different set of data about my user (for example, the homepage will
only need his name whereas the profile page will need everything,
another page will need to know what cars he owns etc...). Should I
store all that info in session when passport.authenticate checks
if the user exists in the DB (thus limiting read-requests to the DB
to approximately one), or only store in session his id and have my
pages make additionnal requests to the DB when necessary ?
我遇到的另一个问题是:在注册过程中,我首先让用户登录他的
Google帐户,我将他的个人资料的详细信息存储在某处,让他
填写一份表格以获取额外信息,然后我将所有内容插入
数据库中。问题是我不知道如何正确存储他的Google
帐户详细信息,直到它们被插入数据库。目前,
我将它们存储在 session 中,然后在插入
成功时将其删除。更具体地说,当在
我的数据库中找不到现有用户时,我会在我的 passport.authenticate 回调中找到:
Another issue I have : in the registration process, I first have the user log in on his
Google Account, I store his profile's details somewhere, have him
fill a form for additionnal info, and then I insert everything in
the DB. The problem is I don't know how to properly store his Google
Account details until they are inserted into the DB. For the moment,
I store them in session, and then delete that when the insertion
is successful. More specifically, when no existing user is found in
my DB, I do, in my passport.authenticate callback:
return done(null,false,userInfo);
因此,用户未经过身份验证,我有2个问题:我必须要
商店那个 userInfo 直到用户注册,我有
使用 req.login()注册完成后。
Thus, the user is not authenticated and I have 2 issues : I have to
store that userInfo somewhere until the user is registered and I have
to log him "manually" using req.login() after the registration is complete.
我是否应该在登录他的
Google帐户后立即对其进行身份验证?如果
没有完成他的注册,这不会给我带来安全问题吗?
Should I allow him to be authenticated as soon as he logs in on his Google Account ? Wouldn't that cause security issues for me if he does not complete his registration ?
非常感谢!
推荐答案
1)serializeUser正在过滤数据并将其存储在会话cookie中。如果可以,通常在cookie中存储较少。无论如何,您将调用数据库以获取有关用户的数据,因此您只需存储用于检索和重建用户的ID,如deserializeUser中所示。
1) serializeUser is filtering the data and storing it in the session cookie. generally store less in the cookie if you can. You are going to call the db for data about the user anyways so you can just store an ID used to retrieve and reconstruct the user, as seen in deserializeUser.
请求即将到来在cookie中,客户端将cookie提供给服务器,服务器将cookie反序列化为数据,解密cookie内容或从db中检索用户数据。然后响应出来,服务器序列化客户端数据,刮掉你不会存储在cookie中的东西并将它们放入数据库中,只需在cookie中留下一个id。
Request coming in the cookie is provided to the server by the client, the server deserializes the cookie into data, either decrypting cookie content or retrieving user data from the db. Then response headed out the server serializes the client data, scraping off things you wouldn't store in the cookie and putting them in the db, just leaving an id in the cookie.
如果您正在进行加密,那么当您想通过运行多台机器进行扩展时,这很容易被搞砸,每台机器都需要能够解密数据(并不是很难)但是,不必要的复杂性)
if you are doing encryption then this can easily be screwed up when you want to scale by running multiple machines who each need to be able to decrypt the data (not really hard, but unnecessary complexity)
将未加密的数据放在cookie中并不是最好的,除了cookie中的任何内容都可以添加额外的带宽使用量。用户。
Having unencrypted data just lying in the cookie isn't the best, and besides anything in the cookie can add that inkling of extra bandwidth usage for the user.
2)数据库调用应该非常快,如果不是这样,那么无论如何你都会在其他地方遇到痛苦的用户体验。换句话说,我强烈的观点是,对于远离cookie存在压倒性的争论。
2) The database calls should be very fast, if they aren't you are going to have a suffering user experience elsewhere anyways. In other words, my strong opinion is that there is an overwhelming argument for staying away from cookies.
考虑每次请求都发送cookie;它会更聪明,而不是将数据推入会话并增加开销,在用户发出请求后暂时(缓存)用户数据加载,然后既没有数据库调用也没有来自cookie的开销当用户积极使用您的网站时。
consider that cookies are sent with each request; it would be smarter to, instead of shoving data into the session and having it add overhead, have the user data load up temporarily (cached) for a bit after the user makes a request, and then have neither database calls nor overhead from the cookie while the user is actively on your site.
老实说,一开始你应该没有缓存。专注于以最低的复杂性来提升您的应用程序。通过这种方式,您可以根据用户反馈更快地修改它并减少错误。
honestly you should be fine at first without caching. Focus on getting your app up with minumum complexity. This way you can modify it according to user feedback faster and have fewer mistakes.
3)当我玩护照时,我遇到了类似的问题。我会让护照完成它的工作,并向用户授予护照级别的验证(所以是的,他们已经登录),然后单独进行更多的数据收集。如果您担心安全问题,请在升级到完全登录之前使此护照级别的验证未完全登录,并需要更多数据。
3) When I played with passport I had a similar issue. I would let passport do its job and grant passport-level-verification to the user (so yes they are logged in), then do more data collection separately. If you are concerned about security then make this passport-level verification not fully logged in, and require more data before upgrading to fully logged in.
我可能非常关注用这一个标记,但这是我的建议。
I could be very off the mark with this one, but that's my recommendation.
4)当你有多个节点实例并希望在内存中存储某些内容时(例如一个计数器,或缓存的用户数据)。这样,您不会在节点代码中保留有关用户的缓存数据的变量,当用户返回并且负载均衡器将其射向另一个实例时,另一个节点实例无法利用该变量。
http://www.ourdailycodes .com / 2013/09 / redis-when-should-i-use-it.html
4) Redis is good for times when you have multiple node instances and want to store something in memory (say a counter, or that cached user data). This way you don't have variables in the node code holding onto cached data about a user, which another node instance can't take advantage of when the user comes back and the load balancer shoots them to a different instance. http://www.ourdailycodes.com/2013/09/redis-when-should-i-use-it.html
编辑:
我应该添加该会话使用cookie,但只向用户提供服务器理解的唯一令牌,以便服务器可以在收到带有附带会话令牌的连接时重新收集用户的会话数据。我的理解是,这是Session工作的一般正确方式......但它因实现而异(如果我在这里错了,有人会纠正我)。
I should add that session uses a cookie, but only gives the user a unique token the server understands, so that the server can re-gather the user's session data when a connection is received with an accompanying session token. My understanding is that this is the generally correct way for Session to work... but that it varies by implementation (Someone correct me if I am wrong here).
这篇关于如何正确使用Passport.js?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
