羽毛Js限制访问服务器端的页面 [英] Feathers Js Restrict Access To Page on Server Side
问题描述
我正在使用feathers.js,并尝试限制对已登录的用户的payment-info.html页面的访问。
const app = feathers();
app.configure(configuration(path.join(__ dirname,'..')));
app.use(compress())
.options('*',cors())
.use(cors())
.use(favicon (path.join(app.get('public'),'favicon.ico')))
.use('/ payment-info.html',function(req,res,next) {
if(req.isAuthenticated()){
next();
} else {
// 401未授权
next(new Error(401)) ;
}
})
.use('/',serveStatic(app.get('public')))
.use(bodyParser.json )
.use(bodyParser.urlencoded({extended:true}))
.configure(hooks())
.configure(rest())
.configure(socketio ())
.configure(services)
.configure(middleware);
module.exports = app;
然而,req.isAuthenticated()返回false,即使用户登录,是否有限制访问公用目录中的页面的方法只能是登录的用户?
在页面中执行限制在Load方案中,您需要首先确保令牌位于cookie中。查看羽毛认证 文档,了解如何启用Cookie。但是,您非常重要的是,您不要通过cookie暴露自己的CSRF攻击。
使用当前版本的羽毛验证插件,您必须手动设置。您需要从使用的渲染中间件的cookie中读取令牌:
const jwt = require('jsonwebtoken'); const cookieParser = require('cookie-parser'); app.use(cookieParser()); app.use('/ payment-info.html' rek,res,next){let token = req.cookies ['feathers-jwt']; if(token){//获取JWT的秘密来验证令牌let secret = app.get('auth')。 .secret; jwt.verify(token,secret,function(err,decoding){if(err){return res.status(401).send('你没有权限查看那个页面');} return next );});} else {return res.status(401).send('你没有权限查看该页面');}}); / div>
重要的是你永远不允许任何服务直接使用cookie中的令牌。渲染中间件拉扯令牌并使用它来提供服务请求,就好像它只是另一个客户端一样,但是您永远不会希望将其从cookie中拉出,并将其放在 req.feathers上服务内部的授权对象。这就是您打开API到CSRF攻击的方式。
此外,如果您启用CORS,您将更有可能希望确保CORS是禁用了渲染中间件。只有在您的羽毛服务之前启用CORS。
feathers-authentication@0.7.x 的另一个缺点是cookie过期不符合令牌的到期。您需要手动设置cookie的 maxAge 到期,以符合您希望令牌有效的时间,如文档中所述。
feathers-authentication@1.xx (目前正在预发布),将包括更好的支持服务器端渲染,所以你赢得了'不得不把它连接起来。它还将照顾令牌过期。
I'm using feathers.js and am trying to restrict access to the payment-info.html page to users that are logged in.
const app = feathers();
app.configure(configuration(path.join(__dirname, '..')));
app.use(compress())
.options('*', cors())
.use(cors())
.use(favicon( path.join(app.get('public'), 'favicon.ico') ))
.use('/payment-info.html', function(req,res,next){
if(req.isAuthenticated()){
next();
} else {
// 401 Not Authorized
next(new Error(401));
}
})
.use('/', serveStatic( app.get('public') ))
.use(bodyParser.json())
.use(bodyParser.urlencoded({ extended: true }))
.configure(hooks())
.configure(rest())
.configure(socketio())
.configure(services)
.configure(middleware);
module.exports = app;
However, req.isAuthenticated() returns false, even if the user is logged in. Is there a way to restrict access to a page in the public directory to only users that are logged in?
To do restriction in a page-load scenario, you'll need to first make sure that the token is in a cookie. Check out the feathers-authentication documentation for how to enable cookies. But it's super important that you are careful to not expose yourself to CSRF attacks through the cookie.
With the current version of the feathers-authentication plugin, you'll have to set this up manually. You'll need to read the token out of the cookie for the rendering middleware to use:
const jwt = require('jsonwebtoken');
const cookieParser = require('cookie-parser');
app.use(cookieParser());
app.use('/payment-info.html', function(req, res, next) {
let token = req.cookies['feathers-jwt'];
if (token) {
// Get the JWT secret to verify the token.
let secret = app.get('auth').token.secret;
jwt.verify(token, secret, function(err, decoded) {
if (err) {
return res.status(401).send('You are not authorized to view that page.');
}
return next();
});
} else {
return res.status(401).send('You are not authorized to view that page.');
}
});
It's important that you never allow any services to directly use the token from the cookie. It's fine for the rendering middleware to pull the token and use it to make service requests as though it is just another client, but you would never want to pull it from the cookie and colocate it on the req.feathers object for authorization inside of a service. That's how you open your API up to CSRF attacks.
Also, if you're enabling CORS at all, you'll more than likely want to make sure that CORS are disabled for the rendering middleware. Only enable CORS just before your Feathers services.
Another drawback of feathers-authentication@0.7.x is that the cookie expiration is not matched up with the token's expiration. You'll need to manually set the cookie's maxAge expiration to match how long you want your tokens to be valid, as explained in the docs.
feathers-authentication@1.x.x (which is currently in pre-release), will include better support for server side rendering, so you won't have to wire it up yourself. It will also take care of making the cookie expire with the token.
这篇关于羽毛Js限制访问服务器端的页面的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
