如何从网页( nodejs )在服务器上启动命令 [英] How to launch a command on the server from a web page ( nodejs )

问题描述

我认为我想要做的很简单，但我只是不知道正确的措辞来提高搜索效率.

I think that what i'm trying to do is simple, but I just don't know the proper wording to make my search efficient.

我有一个 web 应用程序，在带有 express.js 框架的节点 js 中.网页是用 EJS 模板化的，我有一个包含我的数据的数据库 (MySQL).

I have a webapp, in node js with the express.js framework. The web pages are templated with EJS and I have a database that contains my data ( MySQL ).

当我加载一个页面时，我得到了一个对象中传递的所有项目的列表，并且我有一个 foreach 语句来生成一个表.

When I load a page, I get a list of all the items passed in an object and I have a foreach statement to generate a table.

JS 函数:

listParts: (req, res) => {
    
    let query = `SELECT parts.*, l.product_vehicleId as InstalledOn, v.name as VehicleName FROM parts
                LEFT JOIN current_loadout as l ON idpart=l.parts_idparts
                LEFT JOIN dataRef.product as v ON v.idvehicle=l.product_vehicleId
                WHERE idpart>0;`
    db.query(query, (err, qResult) =>{
        if ( err == null )
        {
            res.render('listParts.ejs', { 
                title: 'RPA parts list',
                partList: qResult,
                url: req.originalUrl
            })
        }
    });
}

EJS 部分:

     <tbody align="center">
                    <% partList.forEach((part, idx) => {%>
                        <tr>
                            <td><%=part.name%></td>
                            <td><%=part.serial%></td>
                            <td><%=Math.floor(part.ttsn/60).toFixed()%>:<%=Math.floor(Math.abs(part.ttsn%60)).toFixed(0).padStart(2,'0')%></td>
                            <td><%=part.maxTTSN%></td>
                            <td><%=part.maxCalendarDate%></td>
                            <td><%=part.VehicleName%></td>
                            <td><%if (part.serviceable) {%>
                                <a class="badge badge-success">Serviceable</a>
                                <%}else{%>
                                    <a class="badge badge-danger">Unserviceable</a>
                                <%}%>
                            </td>
                            <td><%if (part.serviceable) {%>
                                    <a href="11">  Make serviceable</a>
                                <%}else{%>
                                    <a href="11">  Make serviceable</a>
                                <%}%>
                            </td>
                        </tr>
                    <%})%>
                </tbody>

我想在服务器上调用以查询数据库，以便在用户单击按钮时对我的零件对象进行状态更改.

I would like to make a call on the server to query the DB to make a status change on my part object when the user click the button.

通常我使用 REST API 端点的 href 来调用删除对象.

Usualy I use the href to my a REST API endpoint to call a delete object.

我的难题是:如何对用户隐藏它，这样人们就无法使用脚本调用 REST 端点并更改我所有部件的状态??

My struggle is : How to make it hidden from the user so people would not be able to call the REST endpoint with a script and change the status of all my parts ??

我的背景是 C 和 C++ Python ...我对 javascript 和所有 Node 模块都很陌生，尤其是，我对前端的东西完全是个菜鸟.

My background is C and C++ Python ... I am very new to javascript and all the Node module and especially, I am a total noob with frontend stuff.

有人能给我指出一个好的方向吗

Could somebody point me to a good direction É

推荐答案

俗话说，保护好路线！

现在，我们该怎么做，尤其是当来自未经身份验证的客户端请求的调用时?

Now, how do we do that, especially when the calls from an un-authenticated client side request?

输入 JWT(JSON 网络令牌)比您想象的要容易.

Enter JWT (JSON web tokens) It's easier then you think.

JWT 是一种令牌，在您的服务器上生成，可以包含任意数量的值，例如 appID、用户 ID 等.然后这些令牌经过编码"和base64"，最终将其发送回用户.令牌是用密码编码的，所以如果有人试图修改令牌中的有效载荷"，它不会通过校验和，解码将失败.

A JWT is a token, generated on your server that can contain any number of value, like appID, userID etc etc. These token are then 'encoded' and 'base64' before ultimately sending it back to the user. The token is encoded with a password, so if a person tries to modify the 'payload' in the token it wont pass the checksum and decode will fail.

这到底是什么意思?

这意味着，您现在可以使用令牌身份验证保护您的路由，使用中间件在处理请求之前进行检查.如果令牌不匹配，则不会发生更新，您可以向客户端返回未经授权的响应.

It means, you can now protect your routes with a token auth using middleware to check before processing the request. If the token does not match then no update will happen and you can return an unauthorized response to the client.

设置起来相当简单，您可以安装 JWT npm 包，这将允许您生成和解码令牌.在您的应用程序中，您将创建一个getToken"端点.这将生成要传回给用户的令牌(这通常在对应用程序进行身份验证时完成)

Setting this up is fairly easy, you can install the JWT npm package, this will allow you to generate and decode tokens. In your application you would create a 'getToken' endpoint. This would generate the token to pass back to the user ( this is typically done on authentication into the application )

然后将令牌发送回用户并存储在安全 cookie 中(您可以随意存储它，但安全 cookie 将确保令牌安全)

The token is then sent back to the user and stored in a secure cookie ( you can store it however you like but a secure cookie will keep the token secure )

当您向其他端点发出 POST 请求时，只需将令牌添加到标头或作为发布值即可.

When you make your POST request to your other endpoints, simply add the token to the header OR as a post value.

在您的路由上，作为中间件或路由本身读取令牌，对其进行解码，如果没有错误，则令牌有效并处理请求，否则不要更新它.

On your route, as middleware OR in the route itself read the token, decode it, if there are no errors then the token was valid and process the request otherwise don't update it.

这篇关于如何从网页( nodejs )在服务器上启动命令的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！