在处理POST请求时确定谁在Node上使用basicAuth进行了身份validation
我正在使用basicAuth来validation特定地址上的POST。
在客户端,我使用了以下格式的命令:
$.ajax({ type: "POST", accepts: "text/plain", url: "http://localhost:3000/somewhere", data: JSON.stringify(something), contentType: "application/json; charset=UTF-8", dataType: "json", success: function(data) { window.alert("Received back: '" + data + "'"); }, username: theUsername, password: "a password" }); 这是工作正常,在用户名中存储的用户名通过我在节点上的身份validation机制。 当用户通过身份validation时,我可以打印一个console.log语句,并查看谁已实际身份validation(我目前没有validation密码)。 但是,然后实际处理开始POST请求。 但是,在那个时候,我怎样才能找出原始请求中使用的用户名和密码呢? 我试图看看请求的标题,但我没有看到任何东西。
当你收到一个基本的身份validation请求时,你应该可以读取req.headers.authorization的“授权”头文件。你必须提取base64编码的证书,然后解码它们。 据推测,在Express中使用req.header("authorization")或req.get("authorization")
对于一个独立的例子,看一下https://gist.github.com/charlesdaniel/1686663我已经复制下面供将来参考
var http = require('http'); var server = http.createServer(function(req, res) { // console.log(req); // debug dump the request // If they pass in a basic auth credential it'll be in a header called "Authorization" (note NodeJS lowercases the names of headers in its request object) var auth = req.headers['authorization']; // auth is in base64(username:password) so we need to decode the base64 console.log("Authorization Header is: ", auth); if(!auth) { // No Authorization header was passed in so it's the first time the browser hit us // Sending a 401 will require authentication, we need to send the 'WWW-Authenticate' to tell them the sort of authentication to use // Basic auth is quite literally the easiest and least secure, it simply gives back base64( username + ":" + password ) from the browser res.statusCode = 401; res.setHeader('WWW-Authenticate', 'Basic realm="Secure Area"'); res.end('<html><body>Need some creds son</body></html>'); } else if(auth) { // The Authorization was passed in so now we validate it var tmp = auth.split(' '); // Split on a space, the original auth looks like "Basic Y2hhcmxlczoxMjM0NQ==" and we need the 2nd part var buf = new Buffer(tmp[1], 'base64'); // create a buffer and tell it the data coming in is base64 var plain_auth = buf.toString(); // read it back out as a string console.log("Decoded Authorization ", plain_auth); // At this point plain_auth = "username:password" var creds = plain_auth.split(':'); // split on a ':' var username = creds[0]; var password = creds[1]; if((username == 'hack') && (password == 'thegibson')) { // Is the username/password correct? res.statusCode = 200; // OK res.end('<html><body>Congratulations you just hax0rd teh Gibson!</body></html>'); } else { res.statusCode = 401; // Force them to retry authentication res.setHeader('WWW-Authenticate', 'Basic realm="Secure Area"'); // res.statusCode = 403; // or alternatively just reject them altogether with a 403 Forbidden res.end('<html><body>You shall not pass</body></html>'); } } }); server.listen(5000, function() { console.log("Server Listening on http://localhost:5000/"); });