使用护照注册后,请阻止用户进行身份validation
我使用护照和express.jsbuild立了login/注册界面和机制。 我的问题是在用户注册后,我们被redirect到login页面,但是我们最终可以更改URL并立即在用户configuration文件中input,但这当然不是期望的。 我希望用户在注册后没有通过身份validation,他需要在login页面中手动input他/她的凭据,然后才能进入configuration文件。
router.get('/', isAuthenticated, function(req, res) { res.render('library', { // passing the id of and username the connecting user to the dust userid: req.user._id, username: req.user.userName }); }); router.get('/library', isAuthenticated, function(req, res) { res.render('library', { // passing the id of and username the connecting user to the dust userid: req.user._id, username: req.user.userName }); }); /* GET login page. */ router.get('/login', function(req, res) { // Display the Login page with any flash message, if any res.render('login', { message: req.flash('message') }); }); /* Handle Login POST password.authenticate is used to delegate the authentication to the login strategy when a HTTP POST is made to /login. */ router.post('/login', passport.authenticate('login', { successRedirect: '/library', failureRedirect: '/', failureFlash: true })); /* GET Registration Page */ router.get('/signup', function(req, res) { res.render('signup', { message: req.flash('message') }); }); /* Handle Registration POST password.authenticate is used to delegate the authentication to the signup strategy when a HTTP POST is made to /signup. */ router.post('/signup', passport.authenticate('signup', { successRedirect: '/login', failureRedirect: '/signup', failureFlash: true }));
isAuthenticated
函数/中间件定义如下
var isAuthenticated = function(req, res, next) { // if user is authenticated in the session, call the next() to call the next request handler // Passport adds this method to request object. A middleware is allowed to add properties to // request and response objects if (req.isAuthenticated()) { return next(); } else { res.redirect('/login'); } }
我究竟做错了什么?
基本上,注册后,我有一个button,redirect到/
,如果我们被redirect到library
(就像它发生在我身上),那么用户应该已经被authentication,但我不想要这个…
至less有两个解决scheme:
-
将会话
session: false
添加到您传递给passport.authenticate('signup', {...})
的configuration对象passport.authenticate('signup', {...})
如passportjs文档中所述 。 -
不要使用护照进行注册。 护照的主要用途是validation(和build立会话),DIY注册逻辑或多或less只是从
signup
护照中间件复制代码的问题。