logo标签列表

Express + JWT 排除特定路由

node.jsexpressjson-web-token
8

我有一个使用expressjsonwebtoken运行的Node应用程序。在每个api调用之前,我都进行了jsonwebtokens检查。我手动排除了以下路由。有没有更好的方法来排除某些路由?我该怎么做?

import * as express from 'express';
import * as jwt from 'jsonwebtoken';

import UserCtrl from './controllers/user';

export default function setRoutes(app) {

  const router = express.Router();

  // route middleware to verify a token
  router.use(function (req, res, next) {
    if ((req.method == 'POST' || req.method == 'OPTIONS') && (req.url == '/user' || req.url == '/login' || req.url == '/user/activate')) {
      next();
    } else {
      // check header or url parameters or post parameters for token
      var token = req.headers.authorization;
      // decode token
      if (token) {
        // verifies secret and checks exp
        jwt.verify(token, process.env.SECRET_TOKEN, function (err, decoded) {
          if (err) {
            return res.status(401).send({
              success: false,
              message: 'Sign in to continue.'
            });
          } else {
            // if everything is good, save to request for use in other routes
            next();
          }
        });
      } else {
        // if there is no token
        // return an error
        return res.status(401).send({
          success: false,
          message: 'Sign in to continue.'
        });
      }
    }
  });

  const userCtrl = new UserCtrl();

  router.route('/login').post(userCtrl.login);
  router.route('/user/activate').post(userCtrl.activate);
  router.route('/users').get(userCtrl.getAll);
  router.route('/users/count').get(userCtrl.count);
  router.route('/user').post(userCtrl.signup);
  router.route('/user/:id').get(userCtrl.get);
  router.route('/user/:id').put(userCtrl.update);
  router.route('/user/:id').delete(userCtrl.delete);

  app.use('/api/v1', router);
}
2个回答
12
您可以提取该函数(验证令牌的函数)并将其用作路由器中特定路由的中间件。这样,您就不必在函数内指定需要登录的路由。
像这样:

function isLoggedIn(req, res, next) {
    // check header or url parameters or post parameters for token
    var token = req.headers.authorization;
    // decode token
    if (token) {
        // verifies secret and checks exp
        jwt.verify(token, process.env.SECRET_TOKEN, function(err, decoded) {
            if (err) {
                return res.status(401).send({
                    success: false,
                    message: 'Sign in to continue.'
                });
            } else {
                // if everything is good, save to request for use in other routes
                next();
            }
        });
    } else {
        // if there is no token
        // return an error
        return res.status(401).send({
            success: false,
            message: 'Sign in to continue.'
        });
    }
}

const userCtrl = new UserCtrl();

// Routes that require no login
router.post('/login', userCtrl.login);
router.get('/users', userCtrl.getAll);
router.post('/user/activate', userCtrl.activate);

// Routes that require login
router.get('/users/count', isLoggedIn, userCtrl.count);
router.post('/user', isLoggedIn, userCtrl.signup);
router.get('/user/:id', isLoggedIn, userCtrl.get);
router.put('/user/:id', isLoggedIn, userCtrl.update);
router.delete('/user/:id', isLoggedIn, userCtrl.delete);

app.use('/api/v1', router);
您可以在此处阅读有关Express 中间件的更多信息。
5

你可以做到这一点

app.use(
  jwt({ secret, algorithms: ['HS256'] }).unless({ path: ['/foo/bar'] }),
);
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接