如何处理会议 [英] How to handle sessions

问题描述

我正在尝试构建一个应用程序，该应用程序是托管在Google App Engine上的Go后端，Angular前端，如果没有会话或会话的登录状态为= 1，则会强制您登录/login.

I'm trying to build an app that is a Go backend, Angular front end, hosted on Google App Engine, that forces you to /login if you don't have a session or if your session's loggedIn != 1.

我还在尝试对几乎所有内容使用App Engine的app.yaml路由.

I'm also trying to use the App Engine's app.yaml routing for almost everything.

我不确定这是否可能吗?

I'm not sure this is possible?

目录结构:

/myapp/app.yaml
/myapp/server/main.go
/myapp/client/(ANGULAR)

app.yaml(摘自:此处) 应用程序:myapp 版本:1 运行时:go111 #api_version:go1 主要:./server

app.yaml (taken from: here ) application: myapp version: 1 runtime: go111 #api_version: go1 main: ./server

- url: /go/.* #Anything that goes to the golang app
  script: _go_app

# Routing for bundles to serve directly
- url: /((?:inline|main|polyfills|styles|vendor)\.[a-z0-9]+\.bundle\.js)
  secure: always
  redirect_http_response_code: 301
  static_files: client/app/dist/\1
  upload: client/app/dist/.*

# Routing for a prod styles.bundle.css to serve directly
- url: /(styles\.[a-z0-9]+\.bundle\.css)
  secure: always
  redirect_http_response_code: 301
  static_files: client/app/dist/\1
  upload: client/app/dist/.*

# Routing for typedoc, assets and favicon.ico to serve directly
- url: /((?:assets|docs)/.*|favicon\.ico)
  secure: always
  redirect_http_response_code: 301
  static_files: client/app/dist/\1
  upload: client/app/dist/.*

# Any other requests are routed to index.html for angular to handle so we don't need hash URLs
- url: /.*
  #secure: always
  redirect_http_response_code: 301
  static_files: client/app/dist/index.html
  upload: client/app/dist/index\.html
  #http_headers:
  #  Strict-Transport-Security: max-age=31536000; includeSubDomains
  #  X-Frame-Options: DENY

因此，到/go的路由将充当api ... CRUD的内容.其他所有内容都将归于Angular.

So, routes to /go would act as the api... CRUD stuff. Everything else would go to Angular.

那么我如何检查是否有会议?我怀疑在app.yaml中是否可能.如果不拨打/go呼叫，则没有真正的服务器告诉它是否存在会话.

So how could i have it check if there's a session? I doubt that's possible in the app.yaml. If a call is made NOT to /go, there's no real server to tell it if there's a session.

那么，我是否不可能以这种方式进行操作?我是否需要使用Go的路由，以便每个呼叫都可以进行会话检查?

So, is it just not possible for me to do it this way? Would I be required to use Go's routing, so that, each call can have a session check?

推荐答案

是的，您猜对了.标记为静态的文件/文件夹与您的Go应用程序分开使用(使用Google的内容传输网络)，因此无法知道Go应用程序的会话ID和状态.

Yes, you guess it correctly. Files / folders marked as static are served separately from your Go app (using Google's content delivery network), and as such, cannot be aware of your Go app's session IDs and states.

这对您有问题吗?通常，静态文件(例如HTML，CSS和JavaScript文件)可以在未经授权/身份验证的情况下进行传递，不会带来安全隐患.

Is it a problem for you? Usually static files (e.g. HTML, CSS and JavaScript files) can be delivered without authorization / authentication, they don't pose a security risk.

如果您不想将静态文件设为公开"，则必须使用Go应用程序来提供这些文件.不要将它们标记为静态，并使用Go的标准库的任何文件服务机制(例如 http.FileServer() ， http.ServeFile() 或 http.ServeContent() ).使用中间件模式检查会话是否存在，如果存在，则仅调用文件服务器.

If you don't want to make your static files "public", you have to use your Go app to serve them. Don't mark them as static, and use any of the file serving mechanism of Go's standard lib (e.g. http.FileServer(), http.ServeFile() or http.ServeContent()). Use the middleware pattern to check for the existence of a session, and if one exists, only then call the file server.

(或实施自己提供静态内容的服务，您可以在自己的处理程序中做您想做/需要做的一切.)

(Or implement serving static content your it on your own, and you can do whatever you want / need to in your own handlers.)

例如，将Go中的受保护"文件映射到/protected，并将某些真实"静态文件(由Google自动提供)映射到/static，看起来可能像这样:

For example to serve "protected" files from Go mapped to /protected, and to have some "real" static files (served by Google automatically) mapped to /static, it could look like this:

app.yaml:

- url: /protected/.*
  script: _go_app

- url: /static
  static_dir: static

然后在您的Go源码中，您可以提供受保护"文件，如下所示:

Then in your Go source you may serve the "protected" files like this:

func init() {
    fileHandler := http.StripPrefix("/protected",
        http.FileServer(http.Dir("protected")))

    http.HandleFunc("/protected/", func(w http.ResponseWriter, r *http.Request) {
        // You may check if a session exists here
        sessExists := ...

        if !sessExists {
            http.Error(w, "you must login first", http.StatusUnauthorized)
            return
        }

        // Serve the requested file:
        fileHandler.ServeHTTP(w, r)
    })
}

上面的init()函数注册一个处理程序，该处理程序处理带有/protected/前缀的路径，如果存在会话(该逻辑属于您)，它将调用提供protected文件夹内容的文件服务器.所提供的文件来自路径，前缀/protected去除了.例如.路径/protected/secret.txt将指定protected/secret.txt文件.

The above init() function registers a handler that handles paths prefixed with /protected/, and if a session exists (that logic belongs to you), it calls a file server that serves the content of the protected folder. The file served is derived from the path, the /protected prefix stripped. E.g. the path /protected/secret.txt will designate the protected/secret.txt file.

这篇关于如何处理会议的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！