如何使用express传递数据和重定向? [英] How to pass data along with redirect using express?
问题描述
我正在尝试使用我的 React 应用程序设置 SAML 单点登录.后端是快递/护照设置.前端是 Reactjs.
I am attempting to set up SAML Single Sign On with my React application. The backend is an express / passport setup. Front end is Reactjs.
我加载了初始 Reactjs SPA,它注意到我没有设置用户名....然后它重定向到 SSO 页面.我输入我的信息(根据需要),然后在成功后我要指出身份提供者将我的客户端转发回 /login/callback 路由的位置.反过来,这条路由应该将用户转发回他们的原始 URL(由 req.body.RelayState 定义).
I load the initial Reactjs SPA and it notices I don't have a username set. ... so then it redirects to the SSO page. I enter my information (as needed) and then after success I am to point where the identity provider forwards my client back to the /login/callback route. This route, in turn, is supposed to forward the user back to their original URL (as defined by req.body.RelayState).
回调路由如下所示:
samlRouter.use(session(config.session));
samlRouter.use(passport.initialize());
samlRouter.use(passport.session());
samlRouter.use((req, res, next) => {
res.header('Access-Control-Allow-Origin', req.header('origin'));
res.header('Access-Control-Allow-Headers', 'Origin, X-Requested-Width, Content-Type, Accept, Authorization');
res.header('Access-Control-Allow-Credentials', 'true'); //SAML
if (req.method == 'OPTIONS') {
res.header('Access-Control-Allow-Methods', 'PUT, POST, GET');
return res.status(200).json({})
}
next();
})
samlRouter.post('/login/callback',
(req, res, next) => {
passport.authenticate('saml', config.saml.options)(req, res, next)
},
(req, res, next) => {
console.log('req.user.nameID :>> ', req.user?.nameID); // ***THIS IS CORRECT**
req.session.user = req.user;
return res.redirect(`${req.body.RelayState}`);
});
问题是 - 我需要告诉前端 reactjs 应用程序 req.user.nameID 是谁.我不能把它放在重定向的查询字符串中,因为它是登录名(因此任何想输入 xxxx.com/privatePage?myusername 的人都可以假装是我).
The problem is - I need to tell the front-end reactjs application who the req.user.nameID is. I can't just put it in a query string on the redirect because it's the login (and thus anyone that wanted to just type in xxxx.com/privatePage?myusername could pretend to be me).
如何在身份验证后安全地将数据传递给我的前端?
How can I securely pass data to my front end after authentication?
推荐答案
有多种方法可以通过重定向传递数据.
There are a number of ways to pass data with a redirect.
- 将数据放入作为重定向 URL 一部分的查询字符串中,以便在呈现重定向 URL 时该 URL 中的数据可用.
- 将数据放入 cookie 中,该 cookie 将在呈现重定向的 URL 时出现.
- 将数据放入服务器端用户会话中,该会话将在呈现重定向 URL 时出现.
如果同一用户同时参与多个重定向,则选项 2 和选项 3 都存在潜在的并发问题或竞争条件.选项 2 和选项 3 还需要在使用后清理数据,以免数据闲置.
Both options 2 and 3 have potential concurrency issues or race conditions if the same user is very involved in multiple redirects at the same time. These options 2 and 3 also need to clean up the data after it is used so it isn't left hanging around.
如果需要,选项 2 和选项 3 比选项 1 更私密.如果此数据涉及身份验证(例如,用户是谁以及需要安全),那么它确实应该在服务器端会话中(由会话 cookie 索引).这通常会保存在会话中,因此它可以作为 req.session.user 用于未来的请求.
Options 2 and 3 are more private than option 1 if that is desired. If this data is involved in authentication (e.g. who the user is and needs to be secure), then it really ought to be in the server-side session (which is indexed by the session cookie). This would typically be saved in the session so it's available as req.session.user to future requests.
这篇关于如何使用express传递数据和重定向?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
