passport.js 本地策略 - 使用用户名登录，使用令牌验证以后的请求 [英] passport.js local strategy- logging in with username, authenticate later requests with token

问题描述

我在使用本地策略时遇到了 Passport.js 的问题.我有两个具体问题:

I'm having trouble with passport.js using the local strategy. I have 2 specific problems:

1. 我没有获得持久会话来处理示例代码(请参阅下面)对于最基本的情况.
2. 我想无会话.为了最基本的情况，在登录时，我会传入一个用户名 + 密码为我提供一个会话令牌，在常规请求中我将使用它会话令牌与其他一些东西散列以进行身份​​验证.这是用护照轻松搞定?在这种情况下，似乎passport 并没有提供太多功能，并且制定我自己的解决方案更容易-只需使用标准检查登录/注销，然后使用一个中间件来取消散列请求令牌以验证请求.容易俗气?

问题 1:

使用库中的参考代码:

https://github.com/jaredhanson/护照本地/blob/master/examples/login/app.js

我执行了一系列命令来显示注销与登录:

I do a series of commands to show logged out vs logged in:

A.检查/帐户，未登录

A. check /account, not logged in

curl -v localhost:3000/account

正如预期的那样，我重定向到/login

As expected I get a redirect to /login

<p>Moved Temporarily. Redirecting to <a href="http://localhost:9292/login">http://localhost:3000/login</a></p>

B.登录

curl -v -d "username=bob&password=secret" http://127.0.0.1:3000/login

正如预期的那样，我重定向到了/

Also as expected, I get a redirect to /

<p>Moved Temporarily. Redirecting to <a href="http://127.0.0.1:3000/">http://127.0.0.1:3000/</a></p>

C.检查/帐户，登录

curl -v localhost:3000/account

什么鬼???

<p>Moved Temporarily. Redirecting to <a href="http://localhost:9292/login">http://localhost:3000/login</a></p>

推荐答案

在 1 的情况下，会话支持需要在您的服务器端配置 cookie 并由您的用户代理使用.通常这是一个浏览器，它将在每个请求中传输 cookie，服务器使用它们来恢复您的登录状态.

In the case of 1, session support requires cookies to be configured on your server side and used by your user agent. Typically this is a browser, which will will transmit the cookies in each request, and the server uses them to restore your login state.

但是，您使用的 curl 命令不会传输 cookie，因此每个请求对服务器来说都是新的"，这就是您每次看到登录重定向的原因.我怀疑如果您在浏览器中尝试相同的请求，这会按预期工作.

However, the curl commands you are using won't transmit cookies, so each request looks "new" to the server, which is why you see the redirect to login each time. I suspect if you try the same requests in a browser, this will work as expected.

至于 2，我需要更多细节来提出一个好的解决方案.如果您使用 HTML 和 Web 浏览器访问您的站点，您最终将需要诸如会话之类的东西.您可以每次都在查询参数中传输此信息，而不是 cookie，但您最终会重建许多 Express/Connect 提供的开箱即用的内容.

As for 2, I'd need a few more details to suggest a good solution. If you are using HTML and web browsers to access your site, you're going to end up needing something like sessions. You could transmit this info in query parameters each time, rather than cookies, but you'll end up rebuilding a lot of what Express/Connect provides out of the box.

无论如何，如果您选择沿着这条路线走，Passport 提供了一个干净的界面来实现您自己的身份验证策略.您只需解析对相关凭据的请求并在数据库中查找用户即可.

In any case, if you choose to go down that route, Passport provides a clean interface to implement your own authentication strategies. You'll simply need to parse the request for the relevant credentials and look up a user in your database.

API 客户端不同，我建议查看 Passport 的 OAuth 支持，它提供了对与特定客户端关联的访问令牌进行身份验证的简单方法.

API clients are different, and I'd suggest taking a look at Passport's OAuth support, which provides easy ways to authenticate access tokens that are associated with a specific client.

这篇关于passport.js 本地策略 - 使用用户名登录，使用令牌验证以后的请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！