如何在Aqueduct服务器上为用户注销(即，撤消，删除或使令牌无效)? [英] How to logout (ie, revoke, delete, or invalidate the tokens) for a user on an Aqueduct server?

问题描述

我知道如何实现注册用户的路由，以及如何为访问令牌交换用户凭证.两者均在官方教程中进行了介绍.

I know how to implement a route to register a user and also how to trade user credentials in for an access token. These are both covered in the official tutorial.

如何使注册用户的访问令牌(和刷新令牌)无效.这对于注销和限制用户帐户遭到破坏时的损害都是必要的.

How do you invalidate the access token (and refresh token) for a registered user. This is necessary both for logging out and for limiting damage if a user's account is compromised.

我看到有一种方法

authServer.revokeAllGrantsForResourceOwner(identifier)

但是我仍在研究如何从用户那里获取标识符，因为客户端应用程序知道服务器数据库中的用户名而不是用户ID.只需传递当前令牌并让服务器为该用户取消所有令牌，就很好了.

but I am still working on how to get the identifier from the user since the client app knows the username but not the user id in the server database. It would be nice to just pass in the current token and have the server cancel all the tokens for that user.

推荐答案

如果您想吊销给定令牌的所有令牌，请从授权令牌中获取用户ID，然后对该用户的令牌运行删除查询:

If you want to revoke all tokens given a token, grab the user ID from the authorization token and run a delete query for that user's tokens:

class TokenManagerController extends ResourceController {
  @Operation.delete()
  Future<Response> deleteTokens() async {
    final userId = request.authorization.ownerID;

    final query = Query<ManagedAuthToken>(context)
      ..where((token) => token.resourceOwner).identifiedBy(userId);
    final count = await query.delete();

    return Response.ok({"userId": userId, "tokensDeleted": count});
  }
}

并确保您链接授权者:

router.route("/tokens")
      .link(() => Authorizer.bearer(authServer))
      .link(() => TokenManagerController(context));

FWIW，我建议为此操作专门设置一个作用域，该作用域仅通过附加登录才能授予该方案. UX是用户必须再次输入密码.

FWIW, I recommend having a scope specifically for this action that is only granted for this scenario through an additional login. The UX is that the user has to enter their password again.

如果您只想删除一个令牌，只需运行一个删除查询，其中access_token =授权标头中的令牌.

If you just want to delete one token, just run a delete query where access_token = the token in the authorization header.

class LogoutController extends ResourceController {
  @Operation.delete()
  Future<Response> deleteTokens(@Bind.header('authorization') String authHeader) async {

    final parser = AuthorizationBearerParser();
    final userToken = parser.parse(authHeader);

    final query = Query<ManagedAuthToken>(context)
      ..where((token) => token.accessToken).equalTo(userToken);
    final count = await query.delete();

    final userId = request.authorization.ownerID;
    return Response.ok({"userId": userId, "tokensDeleted": count});
  }
}

这篇关于如何在Aqueduct服务器上为用户注销(即，撤消，删除或使令牌无效)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！