Cod*_*ker 3 node.js express jwt jwt-simple
我使用 express 和 jwt-simple 来处理登录/注册和经过身份验证的请求作为中间件 api。我正在尝试创建一个 .well-known 端点,以便其他 api 可以根据发送的令牌对请求进行身份验证。
这是我的策略:
module.exports = function() {
const opts = {};
opts.jwtFromRequest = ExtractJwt.fromAuthHeader();
opts.secretOrKey = securityConfig.jwtSecret;
passport.use(new JwtStrategy(opts, function(jwt_payload, done) {
// User.where('id', jwt_payload.id).fetch({withRelated: 'roles'})
console.log('jwt_payload', jwt_payload)
User.where('id', jwt_payload.id).fetch()
.then(user => user ? done(null, user) : done(null, false))
.catch(err => done(err, false));
}));
};
这是我的登录路径:
router.post('/login', function(req, res) {
const {username, password} = req.body;
Promise.coroutine(function* () {
const user = yield User.where('username', username).fetch();
if(user) {
const isValidPassword = yield user.validPassword(password);
if (isValidPassword) {
let expires = (Date.now() / 1000) + 60 * 30
let nbf = Date.now() / 1000
const validatedUser = user.omit('password');
// TODO: Verify that the encoding is legit..
// const token = jwt.encode(user.omit('password'), securityConfig.jwtSecret);
const token = jwt.encode({ nbf: nbf, exp: expires, id: validatedUser.id, orgId: validatedUser.orgId }, securityConfig.jwtSecret)
res.json({success: true, token: `JWT ${token}`, expires_in: expires});
} else {
res.status(401);
res.json({success: false, msg: 'Authentication failed'});
}
} else {
res.status(401);
res.json({success: false, msg: 'Authentication failed'});
}
})().catch(err => console.log(err));
});
这是我的 .well-known 路线:
router.get('/.well-known', jwtAuth, function(req, res) {
// TODO: look over res.req.user. Don't seem to be the way to get those parameters.
// We dont take those parameters from the decrypted JWT, we seem to grab it from the user in DB.
const { id, orgId } = res.req.user.attributes;
console.log("DEBUG: userId", id)
console.log("DEBUG: USER", res.req.user)
res.json({
success: true,
userId: id,
orgId
});
});
这是我的 jwtAuth() 函数:
const passport = require('passport');
module.exports = passport.authenticate('jwt', { session: false });
我如何在路由函数中实际获取令牌并解密它?所有这一切现在都有效,它验证是否为真,但是我需要能够解密令牌以发回存储的值。我不确定 res.req.user.attributes 来自什么,这是令牌吗?
看看passport-jwt和在你的passport-config(或你初始化passport 的任何地方)设置JWT 策略:
const JwtStrategy = require('passport-jwt').Strategy;
const ExtractJwt = require('passport-jwt').ExtractJwt;
const jwtAuth = (payload, done) => {
const user = //....find User in DB, fetch roles, additional data or whatever
// do whatever with decoded payload and call done
// if everything is OK, call
done(null, user);
//whatever you pass back as "user" object will be available in route handler as req.user
//if your user does not authenticate or anything call
done(null, false);
}
const apiJwtOptions: any = {};
apiJwtOptions.jwtFromRequest = ExtractJwt.fromAuthHeaderAsBearerToken();
apiJwtOptions.algorithms = [your.jwt.alg];
apiJwtOptions.secretOrKey = your.jwt.secret;
//apiJwtOptions.issuer = ???;
//apiJwtOptions.audience = ???;
passport.use('jwt-api', new JwtStrategy(apiJwtOptions, jwtAuth));
如果你只想解码令牌,呼叫done(null, payload)在 jwtAuth。
然后,当您想要保护端点并获得有关用户的信息时,在您的路由文件中,将其用作:
const router = express.Router();
router.use(passport.authenticate('jwt-api', {session: false}));
在处理程序中,您应该req.user可用。它可以配置为req您存储来自 auth 的数据的属性,req.user这只是默认值。
| 归档时间: |
|
| 查看次数: |
5461 次 |
| 最近记录: |