有没有一种方法可以在中间件中实现基于角色的权限?我之所以这么问,是因为我希望有一种方法可以在中间件中调用getSession。否则,我将需要实现一个助手函数hasPermissions(req),导入它并在每个文件中调用它,我正在努力避免这种情况感谢
如果您不想使用第三方authenticatio服务器,并且您想自己使用,您可以使用cookeis和jwt来编写。
1-当用户登录时设置一个jwt令牌。在next.js中,当用户登录时,向api函数发出请求,api函数应处理登录过程:
import jwt from "jsonwebtoken";
const handleLoginWithEmail = async (e) => {
e.preventDefault();
if (email) {
try {
//... add your logic, set state
// make a
const response = await fetch("/api/login", {
method: "POST",
headers: {
// pass this if you are using passwdrdless or other service that needs token
Authorization: `Bearer ${ifToken}`,
"Content-Type": "application/json",
},
});
} catch (error) {
console.error("Something went wrong logging in", error);
}
}
};
你的api函数应该创建一个jwt
export default async function login(req, res) {
if (req.method === "POST") {
try {
// if there is
const auth = req.headers.authorization;
// add your logic
const token = jwt.sign(
{
...metadata,
iat: Math.floor(Date.now() / 1000),
exp: Math.floor(Date.now() / 1000 + 7 * 24 * 60 * 60),
// I just create a custom object
"roles": {
"allowed-roles": ["user", "admin"],
"default-role": "user",
// you could decide the role based on email or userId. write your logic
"role":"user"
},
},
process.env.JWT_SECRET
);
// set the token
setTokenCookie(token, res);
res.send({ done: true });
} catch (error) {
console.error("Something went wrong logging in", error);
res.status(500).send({ done: false });
}
} else {
res.send({ done: false });
}
}
2-编写一个用于上述api函数的设置cookie函数
import cookie from "cookie";
const MAX_AGE = 7 * 24 * 60 * 60;
export const setTokenCookie = (token, res) => {
const setCookie = cookie.serialize("token", token, {
maxAge: MAX_AGE,
expires: new Date(Date.now() + MAX_AGE * 1000),
secure: process.env.NODE_ENV === "production",
path: "/",
});
res.setHeader("Set-Cookie", setCookie);
};
3-编写验证令牌功能
import jwt from "jsonwebtoken";
export async function verifyToken(token) {
if (token) {
const decodedToken = jwt.verify(token, process.env.JWT_SECRET);
console.log("decodedToken",decodedToken)
// get the token role from decodedToken
const userId = decodedToken?.issuer;
return {userId,role};
}
return null;
}
4-最后在_middleware.js函数中:
export async function middleware(req, ev) {
console.log("ev in middleware", ev);
const token = req ? req.cookies?.token : null;
const {userId,role} = await verifyToken(token);
// got the role and add logic for role
}