The server must verify the token ID on each request to ensure that the user is authorized to access the requested resource. The easiest way is to decode the token and verify its signature.
To summarize, I am researching how to implement token-based authentication for my Express v4 web application that will serve both mobile and web clients. I want to create a secure connection without using Basic Authentication or Passport middleware. When a new user registers on the client-side, the username and password are sent to the server, which then generates a token ID that is sent back to the client-side. The hashed password and salt are stored on the server-side. To store the token ID, I am considering using cookies, but I am unsure if this violates RESTful principles. Finally, when making requests to the server, the token ID is placed in the authorization header and verified by the server on each request.
- 服务器端
当收到请求时,服务器将检查令牌API,并将其与会话令牌进行比较,如果相同,则允许请求,否则拒绝
这是Express应用程序授权的标准方式吗?
很抱歉发了一篇冗长的帖子,但我觉得我确实应该掌握身份验证和授权,因为它很重要。我希望有人可以纠正我的REST身份验证误解并回答我的问题或建议更好的方法。