如何使用Passport.js重设/更改Node.js中的密码? [英] How to reset / change password in Node.js with Passport.js?
问题描述
我在Node.js中使用Passport.js创建登录系统.一切正常,但是当他们忘记密码或想要更改密码时,我不知道如何重置用户密码.
I use Passport.js in Node.js to create a login system. Everything is ok, but I do not know how to reset user password when they forget their password or they want to change it.
MongoDB中的用户模型
User model in MongoDB
var UserSchema = new Schema({
email: String,
username: String,
provider: String,
hashed_password: String,
salt: String,
});
推荐答案
不是很喜欢打我的数据库来存储令牌的想法,尤其是当您要为许多操作创建和验证令牌时.
Didn't really like the idea of hitting my database to store tokens, especially when you want to be creating and verifying tokens for many actions.
相反,我决定复制 Django的操作方式:
- 将timestamp_today转换为base36作为
today
- 将user.id转换为
ident
到base36 - 创建包含以下内容的
hash
:- timestamp_today
- user.id
- user.last_login
- user.password
- user.email
- convert timestamp_today to base36 as
today
- convert user.id to base36 as
ident
- create
hash
containing:- timestamp_today
- user.id
- user.last_login
- user.password
- user.email
我们测试req.params.timestamp只是为了简单地测试它是否对今天有效,首先要进行最便宜的测试.首先失败.
We test the req.params.timestamp in order to simply test if it's valid for today, cheapest test first. fail first.
然后我们找到用户,如果该用户不存在,则失败.
Then we find the user, fail if it doesn't exist.
然后我们再次从上方生成哈希,但时间戳来自req.params
Then we generate the hash again from above, but with the timestamp from req.params
如果,重置链接将无效:
The reset link becomes invalid if :
- 他们记住了他们的密码和登录名(last_login更改)
- 他们实际上仍在登录,并且:
- 只需更改密码(更改密码)
- 只需更改他们的电子邮件(更改电子邮件)
- they remember their password and login (last_login changes)
- they're actually still logged in and:
- just change their password (password changes)
- just change their email (email changes)
这种方式:
- 您没有将这些短暂的东西存储在数据库中
- 当令牌的目的是更改事物的状态,并且事物的状态已更改时,令牌的目的就不再安全相关.
这篇关于如何使用Passport.js重设/更改Node.js中的密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!