Mongoose / Express授权http动词 [英] Mongoose/Express authorisation on http verbs
问题描述
我有一个node.js REST服务在mongoose和express上运行。我也使用merse来设置我的路由。
I've got a node.js REST service running on mongoose and express. I'm also using merse to get my routing set up.
我现在想要实现的是以下类型的洋葱:
What I'd like to achieve now are the following types of sceanrios:
Scenario I: e.g. blogpost
- GET -> no authentication required
- POST/PUT/DELETE -> authentication required
Scenario II: e.g. user
- GET -> authentication required
- POST/PUT/DELETE -> authentication required plus username of logged in user has to match
我已经看过everyauth和猫头鹰,但找不到什么会给我这种控制。
I've allready had a look at everyauth and mongoose-auth, but couldn't find anything which would give me this kind of control.
推荐答案
忘记everyauth。这个图书馆是一个过分的,imho。实施身份验证实际上很简单,按照模式:
Forget about everyauth. This library is an overkill, imho. Implementing authentication is quite simple actually, follow the schema:
- 用户通过
username
密码
到服务器; - 服务器获取
用户名
和密码
,并在数据库中检查是否有一个具有密码
的用户。如果没有用户,只需回复错误; - 我们有一个用户,现在使用Express的内置会话机制。调用
req.session.regenerate
并在回调中执行req.session.userID = user.id
。 Express将自动将cookie发送给用户; - 创建一个中间件(必须在之前激活任何其他请求处理程序),基本上在数据库中搜索
req.session.userID
。如果找到一个,则将其存储在req
中,即req.user = user
; - 在一个视图中,您只需检查是否设置了
req.user
变量。如果是,那么我们被认证。您完成了!
- User passes
username
andpassword
to the server; - Server gets
username
andpassword
and checks in DB whether there is a user with thatpassword
. If there is no user, just respond with an error; - We have a user, now use built-in session mechanism of Express. Call
req.session.regenerate
and in the callback doreq.session.userID = user.id
. Express will automatically send the cookie to the user; - Create a middleware (has to fire before any other request handler), which basically searches the database for
req.session.userID
. If it finds one, then store it inreq
, i.e.req.user = user
; - In a view you simply check whether
req.user
variable is set. If it is, then we are authenticated. And you're done!
广告1 + 2)为了使身份验证安全,您应该使用一些加密(和/或HTTPS) 。例如,密码应该保存在DB中两部分: salt
和 hash
。 salt
是随机生成的(注册时)和 hash = hash_it(pwd,salt)
,其中 hash_it
是一些哈希算法(例如:MD5或SHA256)。
ad 1+2) To make authentication safe, you should use some cryptography (and/or HTTPS). For example, the password should be held in DB in two parts: salt
and hash
. salt
is generated randomly (at the time of registration) and hash = hash_it(pwd, salt)
, where hash_it
is some hashing algorithm (for example: MD5 or SHA256).
现在客户端身份验证可以在几个步骤(只有您可以使用JavaScript):
Now client side authentication can be made in several steps (only if you can use JavaScript):
- 服务器将随机的
new_salt
发送到登录页面(或在JavaScript中生成一个,不需要隐藏生成算法); - 用户发送AJAX请求
给我用户X的盐
和服务器响应存储在DB中的salt
(salt
是public); - 在响应哈希
pwd
与salt
然后用new_salt
,将其存储在变量hpwd
; - 客户端发送
username
,hpwd
和new_salt
到服务器; - 服务器从DB获取
pwd
username
,散列pwd
与new_salt
并将结果与hpwd
(注意:您不存储new_salt
)。
- Server sends random
new_salt
to the login page (or generate one in JavaScript, there is no need to hide generating algorithm); - User sends AJAX request
give me salt for user X
and server responds with thesalt
stored in DB (thesalt
is public); - On response hash
pwd
withsalt
and then hash the result again withnew_salt
, store it in variablehpwd
; - Client sends
username
,hpwd
andnew_salt
to the server; - Server gets
pwd
from DB forusername
, hashespwd
withnew_salt
and compares the result tohpwd
(note: you do not storenew_salt
).
方法是不错的,因为每次登录一个随机数据(从外部的角度来看)数据流经网络,即使用户名
和密码
是一样的。
This method is nice, since every time you log in a random (from the external point of view) data flows through net, even though the username
and the password
is the same.
这很重要,因为 password
事情。不是因为有人可以打破您的应用的帐户(这是一个轻微的损害,除非你是一个银行,但是你不会提出这样的问题:D)。主要是因为人们往往对多个网站(包括银行帐户)使用相同的密码。
This is important, because password
leak is a serious thing. Not because someone can break your app's account (that's a minor damage, unless you're a bank - but then you wouldn't ask such questions :D ). Mostly because people tend to use the same passwords for multiple sites, including bank accounts.
这篇关于Mongoose / Express授权http动词的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!