API路由可用于任何令牌JWT + PASSPORT
我正在为我的应用程序构buildAPI并尝试使用护照jwt。 我可以注册新用户并login(取回令牌),但是当我使用邮递员检查“受保护的”路线时,我可以使用任何这样的“任何” Pasport.js
const JwtStrategy = require('passport-jwt').Strategy, ExtractJwt = require('passport-jwt').ExtractJwt; const User = require('../api/models/user/userModel'),// load up the user model config = require('../config/database'); // get db config file module.exports = (passport)=> { let opts = {}; opts.jwtFromRequest = ExtractJwt.fromAuthHeader(); opts.secretOrKey = config.secret; passport.use(new JwtStrategy(opts, function(jwt_payload, done) { User.findOne({id: jwt_payload.id}, (err, user)=> { if (err) { return done(err, false); } if (user) { done(null, user); } else { done(null, false); } }); })); }; Server.js
const express = require('express'), app = express(), port = process.env.PORT || 3000, mongoose = require('mongoose'), morgan = require('morgan'), passport = require('passport'), bodyParser = require('body-parser'), jwt = require('jsonwebtoken'), config = require('./config/database'), Event = require('./api/models/event/eventModel'), User = require('./api/models/user/userModel'); mongoose.Promise = global.Promise; mongoose.connect(config.database); app.use(bodyParser.urlencoded({ extended: true })); app.use(bodyParser.json()); app.use(passport.initialize()); /* Routers registration */ const routesEvent = require('./api/routes/event/eventRoutes'); routesEvent(app); const routesUser = require('./api/routes/user/userRoutes'); routesUser(app); /* END Routers registration */ /* Express middleware * which used to return more interactive messages */ app.use((req, res, next)=>{ res.status(404).send({url: req.originalUrl + ' not found'}); res.header("Access-Control-Allow-Origin", "*"); res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept"); next(); }); /* END Express middleware */ // Launch the server on port 3000 const server = app.listen(3000, () => { const { address, port } = server.address(); console.log(`RESTful API server Listening at http://${address}:${port}`); });
EventRouter.js
const jwt = require('jsonwebtoken'), passport = require('passport'); require('../../../config/passport')(passport); // as strategy in ./passport.js needs passport object module.exports = (app)=> { const event = require('../../controllers/event/eventController'); // Routes app.route('/events' ) .get( event.list_all_events, passport.authenticate('jwt', { session: false})); };
EventController
const mongoose = require('mongoose'), Event = mongoose.model('Events'), getToken = require('../../../config/getToken'); exports.list_all_events = (req, res)=> { let token = getToken(req.headers); if(token){ Event.find({}, (err, event)=> { if (err) res.send(err); res.json(event); }); } else { return res.status(403).send({success: false, msg: 'Unauthorized.'}); } };
我肯定是在控制器或这个文件中做错了什么
GetToken.js
module.exports = getToken = (headers)=> { console.log(headers); if (headers && headers.authorization) { let parted = headers.authorization.split(' '); //Here I can see my Token from the Postman if (parted.length === 2) { return parted[1]; } else { return null; } } else { return null; } };
请有关我上面犯的一个错误的任何想法?
下线作为一个中间件。 它正在validationJWT令牌,一旦validation了令牌,它就会调用JwtStrategy并在请求中设置用户对象,然后它会调用假设要执行的实际函数。
passport.authenticate('jwt', { session: false})
你真的不需要getToken函数。 这将由上线照顾。 如果令牌未被validation,则上面的行自动返回401。
看起来很奇怪,但是当我把代码改成这个
EventRouter.js app.route('/events' ) .get( passport.authenticate('jwt', { session: false}), event.list_all_events) .post(event.create_event);
这是预期的作品唯一的区别是得到的顺序(护照,function)