用sails.js实现passport-http-bearer标记
我正在尝试实施护照的passport-http-bearer战略,但它发现没有用户信息Bearer realm="Users" 。
我的request是一个post请求:
{'token':'simple_access_token',}
任何人有任何想法,为什么会出现这个错误? 另外我知道这里req应该是https或ssl而不是http 。 我怎么做?
我使用的代码是:
bearerPassportToken: function(req,res){ passport.authenticate('bearer', function(err, user, info){ if ((err) || (!user)) { if (err) return; if (!user) console.log("info);//Info: Bearer realm="Users" res.redirect('/login'); return; } req.logIn(user, function(err){ if (err){ res.redirect('/login'); } //Need to write code for redirection ; }); })(req, res); },
我们必须最近实现保证基于Sails的API和持有者令牌,以下是我们所做的(用0.9.xtesting):
1)将passport作为config/passport.js一个自定义中间件连接(或者根据您的喜好,它可以是config/express.js ):
/** * Passport configuration */ var passport = require('passport'); module.exports.express = { customMiddleware: function(app) { app.use(passport.initialize()); app.use(passport.session()); } };
2)使用config/policies.js的策略保护必要的控制器/操作:
module.exports.policies = { // Default policy for all controllers and actions '*': 'authenticated' };
3)在api/policies/authenticated.js创build检查承载的api/policies/authenticated.js :
/** * Allow any authenticated user. */ var passport = require('passport'); module.exports = function (req, res, done) { passport.authenticate('bearer', {session: false}, function(err, user, info) { if (err) return done(err); if (user) return done(); return res.send(403, {message: "You are not permitted to perform this action."}); })(req, res); };
4)在services/passport.js定义护照策略(或者你认为它更适合你的具体应用的地方):
var passport = require('passport'), BearerStrategy = require('passport-http-bearer').Strategy; /** * BearerStrategy * * This strategy is used to authenticate either users or clients based on an access token * (aka a bearer token). If a user, they must have previously authorized a client * application, which is issued an access token to make requests on behalf of * the authorizing user. */ passport.use('bearer', new BearerStrategy( function(accessToken, done) { Tokens.findOne({token: accessToken}, function(err, token) { if (err) return done(err); if (!token) return done(null, false); if (token.userId != null) { Users.find(token.userId, function(err, user) { if (err) return done(err); if (!user) return done(null, false); // to keep this example simple, restricted scopes are not implemented, // and this is just for illustrative purposes var info = { scope: '*' } done(null, user, info); }); } else { //The request came from a client only since userId is null //therefore the client is passed back instead of a user Clients.find({clientId: token.clientId}, function(err, client) { if (err) return done(err); if (!client) return done(null, false); // to keep this example simple, restricted scopes are not implemented, // and this is just for illustrative purposes var info = { scope: '*' } done(null, client, info); }); } }); } ));
通过这种方式,您可以通过Authorization标头中的持有者来访问API: Bearer 8j4s36...
在这个例子中,一个单独的服务器被用来请求/发布令牌,但是你也可以在同一个应用中使用它(然后你必须将策略应用到选定的控制器上)。