PassportJS 回调在 http 和 https 之间切换 [英] PassportJS callback switch between http and https

问题描述

现在，当我在 https://example.com 访问我的页面并点击登录时，它会转到 https://example.com/auth/facebook，然后执行 facebook 的工作并最终回拨 http://example.com/auth/facebook/callback.我似乎无法让它使用 https 方案回调(但仅当请求周期以 https 开始时).

Right now, when I visit my page at https://example.com and click login, it goes to https://example.com/auth/facebook, which then does the facebook stuff and ends up calling back http://example.com/auth/facebook/callback. I can't seem to get it to call back using the https scheme (but only when the request cycle started in https).

现在，当通过 https iframe(facebook 画布应用程序)查看时，我收到错误

right now, when viewed through an https iframe (facebook canvas app), I get the error

[blocked] 页面位于'https://apps.facebook.com/example/?fb_source=notification&ref=notif&notif_t=app_notification'是通过 HTTPS 加载的，但运行了不安全的内容'http://example.com/auth/facebook/callback?code=AQD5TUeTP…yXC0ZM8S45V2iTta629IaquCpAqVUbhAvNCFveaDBlbKg4J4#=':此内容也应通过 HTTPS 加载.

[blocked] The page at 'https://apps.facebook.com/example/?fb_source=notification&ref=notif&notif_t=app_notification' was loaded over HTTPS, but ran insecure content from 'http://example.com/auth/facebook/callback?code=AQD5TUeTP…yXC0ZM8S45V2iTta629IaquCpAqVUbhAvNCFveaDBlbKg4J4#=': this content should also be loaded over HTTPS.

passport.use(new FacebookStrategy({
    clientID: process.env.FB_CLIENT,
    clientSecret: process.env.FB_SECRET,
    callbackURL: "/auth/facebook/callback",
    profileFields: ['id']
},...

app.get('/auth/facebook',
  passport.authenticate('facebook', {
    scope: ["read_stream"]
  })
);

app.get('/auth/facebook/callback',
  passport.authenticate('facebook', {
  failureRedirect: '/#'
}),
function(req, res) {
  res.redirect('/#');
});

我在 heroku 上运行它，它处理 https 上的详细信息.

I'm running this on heroku, where it handles the details on https.

编辑显然，节点向 req.connection.encrypted 提供了有关请求是否为 https 的信息.由于我在 nginx 后面的 heroku 上运行，它处理节点之前的所有 https，req.connection.encrypted 将始终未定义.

EDIT Apparently node provides req.connection.encrypted with information as to whether the request is https. Since I am running on heroku behind nginx where that handles all of the https before node, req.connection.encrypted will always be undefined.

还是不知道怎么解决.

推荐答案

我查看了 Passport Oauth2 策略代码并检查它是否使用 req.connection.encrypted 来检查它是否处于安全连接中.它还检查代理，以防服务器代码运行在代理之后.如果您知道自己支持代理，则可以告诉 Passport 信任代理.

I looked into the Passport Oauth2 strategy code and checked that it uses req.connection.encrypted to check if it is in a secure connection. It also checks for proxies in case the server code runs behind one. It is possible to tell passport to trust a proxy if you know that you are behind one.

似乎因为 SSL 是由 Heroku 上的 nginx 处理的，所以 req.connection.encrypted 总是未定义".(groups.google.com/forum/#!topic/express-js/Bm6yozgoDSY)Nginx 处理 Heroku 上的所有 HTTPS，因此节点永远不会看到 req.connection.encrypted 是未定义"以外的任何内容.

It seems that since SSL is handled by nginx on Heroku, req.connection.encrypted is always "undefined". (groups.google.com/forum/#!topic/express-js/Bm6yozgoDSY) Nginx handles all of the HTTPS on Heroku so node never sees req.connection.encrypted being anything other than "undefined".

要解决此问题，您必须告诉passport 信任添加行的代理

To solve the problem you have to tell passport to trust the proxy adding the line

app.enable("trust proxy");

到您的快速服务器.

这篇关于PassportJS 回调在 http 和 https 之间切换的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！