Mongoose / Express授权http动词 [英] Mongoose/Express authorisation on http verbs
问题描述
我有一个node.js REST服务在mongoose和express上运行。我也使用merse来设置我的路由。
I've got a node.js REST service running on mongoose and express. I'm also using merse to get my routing set up.
我现在想要实现的是以下类型的洋葱:
What I'd like to achieve now are the following types of sceanrios:
Scenario I: e.g. blogpost
- GET -> no authentication required
- POST/PUT/DELETE -> authentication required
Scenario II: e.g. user
- GET -> authentication required
- POST/PUT/DELETE -> authentication required plus username of logged in user has to match
我已经看过everyauth和猫头鹰,但找不到什么会给我这种控制。
I've allready had a look at everyauth and mongoose-auth, but couldn't find anything which would give me this kind of control.
推荐答案
忘记everyauth。这个图书馆是一个过分的,imho。实施身份验证实际上很简单,按照模式:
Forget about everyauth. This library is an overkill, imho. Implementing authentication is quite simple actually, follow the schema:
- 用户通过
username密码到服务器; - 服务器获取
用户名和密码,并在数据库中检查是否有一个具有密码的用户。如果没有用户,只需回复错误; - 我们有一个用户,现在使用Express的内置会话机制。调用
req.session.regenerate并在回调中执行req.session.userID = user.id。 Express将自动将cookie发送给用户; - 创建一个中间件(必须在之前激活任何其他请求处理程序),基本上在数据库中搜索
req.session.userID。如果找到一个,则将其存储在req中,即req.user = user; - 在一个视图中,您只需检查是否设置了
req.user变量。如果是,那么我们被认证。您完成了!
- User passes
usernameandpasswordto the server; - Server gets
usernameandpasswordand checks in DB whether there is a user with thatpassword. If there is no user, just respond with an error; - We have a user, now use built-in session mechanism of Express. Call
req.session.regenerateand in the callback doreq.session.userID = user.id. Express will automatically send the cookie to the user; - Create a middleware (has to fire before any other request handler), which basically searches the database for
req.session.userID. If it finds one, then store it inreq, i.e.req.user = user; - In a view you simply check whether
req.uservariable is set. If it is, then we are authenticated. And you're done!
广告1 + 2)为了使身份验证安全,您应该使用一些加密(和/或HTTPS) 。例如,密码应该保存在DB中两部分: salt 和 hash 。 salt 是随机生成的(注册时)和 hash = hash_it(pwd,salt),其中 hash_it 是一些哈希算法(例如:MD5或SHA256)。
ad 1+2) To make authentication safe, you should use some cryptography (and/or HTTPS). For example, the password should be held in DB in two parts: salt and hash. salt is generated randomly (at the time of registration) and hash = hash_it(pwd, salt), where hash_it is some hashing algorithm (for example: MD5 or SHA256).
现在客户端身份验证可以在几个步骤(只有您可以使用JavaScript):
Now client side authentication can be made in several steps (only if you can use JavaScript):
- 服务器将随机的
new_salt发送到登录页面(或在JavaScript中生成一个,不需要隐藏生成算法); - 用户发送AJAX请求
给我用户X的盐和服务器响应存储在DB中的salt(salt是public); - 在响应哈希
pwd与salt然后用new_salt,将其存储在变量hpwd; - 客户端发送
username,hpwd和new_salt到服务器; - 服务器从DB获取
pwdusername,散列pwd与new_salt并将结果与hpwd(注意:您不存储new_salt)。
- Server sends random
new_saltto the login page (or generate one in JavaScript, there is no need to hide generating algorithm); - User sends AJAX request
give me salt for user Xand server responds with thesaltstored in DB (thesaltis public); - On response hash
pwdwithsaltand then hash the result again withnew_salt, store it in variablehpwd; - Client sends
username,hpwdandnew_saltto the server; - Server gets
pwdfrom DB forusername, hashespwdwithnew_saltand compares the result tohpwd(note: you do not storenew_salt).
方法是不错的,因为每次登录一个随机数据(从外部的角度来看)数据流经网络,即使用户名和密码是一样的。
This method is nice, since every time you log in a random (from the external point of view) data flows through net, even though the username and the password is the same.
这很重要,因为 password 事情。不是因为有人可以打破您的应用的帐户(这是一个轻微的损害,除非你是一个银行,但是你不会提出这样的问题:D)。主要是因为人们往往对多个网站(包括银行帐户)使用相同的密码。
This is important, because password leak is a serious thing. Not because someone can break your app's account (that's a minor damage, unless you're a bank - but then you wouldn't ask such questions :D ). Mostly because people tend to use the same passwords for multiple sites, including bank accounts.
这篇关于Mongoose / Express授权http动词的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
