认证与护照。我可以相信，req.user是用户确实登录？ [英] Authentication with passport. Can I trust that req.user is indeed the logged in user?

问题描述

我使用护照我的网站来验证用户身份。用户可以订单，这已经和FOREIGNKEY（的ObjectId）注册用户对象。

I'm using passport to authenticate users at my site. Users can register orders, which have and foreignKey (ObjectId) to the User object.

实例对象（写为猫鼬模式）：

Example-objects (written as mongoose schemas):

var orderSchema = new mongoose.Schema({
    ...
    address: String,
    _userID: {type: mongoose.Schema.Types.ObjectId, required: true, ref: 'User'}
});

var userSchema = new mongoose.Schema({
    email: String,
});

猫鼬将创建为每个对象的主键。

Mongoose will create the primary key for each object.

我的问题是;是否足够，以检查是否 req.user._id === order._userID ？或者，可以在 req.user 对象篡改？我可以相信， req.user._id 是 ID 登录的用户？

My question is; is it enough to check if req.user._id === order._userID? Or can the req.user object be tampered with? Can I trust that req.user._id is the id of the logged in user?

我已经找到了几个很好的资源，但它不正是我要问的。

I've found a couple of good resources, but it's not exactly what I'm asking of.

• http://toon.io/articles/understanding-passportjs-authentication-flow /


• http://passportjs.org/guide/authenticate/

• http://toon.io/articles/understanding-passportjs-authentication-flow/
• http://passportjs.org/guide/authenticate/

推荐答案

所以问题：

可以在req.user对象篡改？

can the req.user object be tampered with?

很难回答，因为你的可能的有你的应用程序中的code，将有机会获得你的请求对象，并在其中，修改用户。了解c您已经对任何人的每个请求的流程中运行真的，但特别是那些关心他们的应用程序的安全性是什么$ C $是很重要的。随着中说，我至少可以点你是建立在code这个在那里，你可以使用调试器，以保证流自己追踪它。

Is difficult to answer, since you could have code within your application that will have access to your request object, and within it, modify the user. It's important to understand what code you have running within the flow of each request for anyone really, but especially those concerned about the security of their application. With that said, I can at least point you to where in the code this is established, and you can trace it with a debugger to assure yourself of the flow.

正如你所提到的，护照文档讨论在他们的指南认证的配置选项，并通过默认情况下将处理用户登录，当你的策略决定了成功验证。您可以提供一个定制的回调（以上引用的文档中提及的）来处理这一点。最后，很重要的一点 req.logIn 被称为（这是默认不提供任何自定义回调完成）。 <一href=\"https://github.com/jaredhanson/passport/blob/a06f9b239c4ffaa2cfb134a6bd13a85fbad348b5/lib/http/request.js#L8-L56\"相对=nofollow>下面是源的链接。 （护照通过扩展这个code请求目的是提供一种方便日后的辅助函数。）

As you've mentioned, the passport documentation discusses authentication configuration options in their guide, and by default will process "logging in" the user when your strategy dictates successful authentication. You can provide a custom callback (mentioned in the referenced documentation above) to process this as well. In the end, it's important that req.logIn is called (which is done by default without any custom callbacks provided). Here's a link to the source. (Passport extends the request object via this code to provide helper functions which it later uses.)

您的具体行可能感兴趣的是<一个href=\"https://github.com/jaredhanson/passport/blob/a06f9b239c4ffaa2cfb134a6bd13a85fbad348b5/lib/http/request.js#L42\"相对=nofollow>这里，其中分配给的 REQ与值对象属性用户经过验证的用户的：

The specific line you maybe interested in is here, which assigns to the req object the property user with a value of the authenticated user:

this[property] = user;

从那里，你必须在 req.user.id req.user 访问登录的用户，他们的ID code>。再次注意，当护照战略指出，已发生成功认证登录函数应该只被调用。但这种方式，护照又提供了容易地验证用户，然后经由请求对象获得访问该用户的一种方法。

From there on, you have access to the logged in user under req.user, and their ID under req.user.id. Again note that this logIn function should only be called when the passport strategy states that successful authentication has occurred. But in this way, passport has provided you with a way of easily authenticating the user, and then getting access to this user via the request object.

这篇关于认证与护照。我可以相信，req.user是用户确实登录？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！