如何在使用 express/nodejs/passport 重定向时使用会话或 cookie 传递数据? [英] How to pass data with a session or cookie while redirecting with express / nodejs / passport?
问题描述
参见上一个问题:如何传递数据使用 express 重定向?
我的问题是我有一个 Reactjs SPA 和一个 NodeJS/Express/Passport 后端.快速后端正在发送 res.redirect(%url%) 但我无法安全地发送附加信息以及该重定向.
My issue is that I've got a Reactjs SPA and a NodeJS/Express/Passport backend. The express backend is sending a res.redirect(%url%) but I cannot send additional information securely along with that redirect.
上一个问题的答案是发送 cookie 或在会话中发送数据".这是怎么做到的?
The answer to the previous question was "send a cookie or send the data in a session". How can this be done?
我目前的代码:
samlRouter.use(session(config.session));
samlRouter.use(passport.initialize());
samlRouter.use(passport.session());
samlRouter.use((req, res, next) => {
res.header('Access-Control-Allow-Origin', req.header('origin'));
res.header('Access-Control-Allow-Headers', 'Origin, X-Requested-Width, Content-Type, Accept, Authorization');
res.header('Access-Control-Allow-Credentials', 'true'); //SAML
if (req.method == 'OPTIONS') {
res.header('Access-Control-Allow-Methods', 'PUT, POST, GET');
return res.status(200).json({})
}
next();
})
samlRouter.post('/login/callback',
(req, res, next) => {
passport.authenticate('saml', config.saml.options)(req, res, next)
},
(req, res, next) => {
console.log('req.user.nameID :>> ', req.user?.nameID); // ***THIS IS CORRECT**
req.session.user = req.user;
return res.redirect(`${req.body.RelayState}`);
});
问题是 - 我需要告诉前端 reactjs 应用程序 req.user.nameID 是谁.我不能把它放在重定向的查询字符串中,因为它是登录名(因此任何想输入 xxxx.com/privatePage?myusername 的人都可以假装是我).我的理解是其他选项是设置 cookie"和使用会话".
The problem is - I need to tell the front-end reactjs application who the req.user.nameID is. I can't just put it in a query string on the redirect because it's the login (and thus anyone that wanted to just type in xxxx.com/privatePage?myusername could pretend to be me). It's my understanding the other options are 'set a cookie' and 'use the session'.
具体而言,我如何实施这两个其他选项之一,以在身份验证后安全地将数据传递到我的前端?(上面代码块的倒数第二行).
How, specifically, can I implement one of these two other options to securely pass data to my front end after authentication? (the second to last line of the code block above).
值得注意的是我的 API 服务器和我的前端文件主机是不同的——所以我需要一个跨站点的解决方案.当然,有些系统使用第三方身份验证系统,我可以效仿.
worth noting that my API server and my Front-end file host are different -- so I'll need a cross-site solution. Certainly there are systems that use third-party authentication systems that I can emulate.
推荐答案
任何想输入 xxxx.com/privatePage?myusername 的人都可以冒充我
anyone that wanted to just type in xxxx.com/privatePage?myusername could pretend to be me
Cookies 不能解决这个问题.用户可以同样轻松地设置 cookie.
Cookies won't solve this problem. Users can just as easily set cookies.
如果您想了解如何将身份验证和授权凭据安全地传递给公共客户端的示例,请阅读 OAuth 2.0 授权码授予,这正是它解决的问题.
If you want examples of how authentication and authorization credentials can be securely passed to public clients read up about the OAuth 2.0 authorization code grant, that is exactly the problem it solves.
这篇关于如何在使用 express/nodejs/passport 重定向时使用会话或 cookie 传递数据?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
