我创建了如下作用域:
CURL POST /sql:
DEFINE SCOPE user SESSION 1d
SIGNUP ( CREATE user SET user = $user, pass = crypto::argon2::generate($pass) )
SIGNIN ( SELECT * FROM user WHERE user = $user AND crypto::argon2::compare(pass, $pass));
然后我注册如下:
{
"ns": "test",
"db": "test",
"sc": "user",
"email": "tobie@surrealdb.com",
"pass": "some password",
"marketing": true,
"tags": [
"rust",
"golang",
"javascript"
]
}
这里我收到:
{
"code": 200,
"details": "Authentication succeeded",
"token": "eyJ0eXAiOiJKV1QiLCJhbGciOEQiI6InRlc3QiLCJTQyI6InVzZXIiLCJJRCI6InVzZXI6czFiN3JzcnlxNW9jdDVmM2FrdHEifQ.oy7ox2QCqNDAyZnvRmGPoU2t3QmzB38J67ynpRVPfd8nXfRw0RQPunQ04KTrtzfQeNHB5Zv8-nN0HrOuqxG78w"
}
之后尝试登录:
{
"ns": "test",
"db": "test",
"sc": "user",
"email": "tobie@surrealdb.com",
"pass": "some password"
}
成功:
{
"code": 200,
"details": "Authentication succeeded",
"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpYXQiOjE2NzIwMzc4NTAsIm5iZiI6MTY3MjAzNzg1MCwiZXhwIjoxNjcyMTI0MjUwLCJpY-l8cGbHeW72CbBIswIro-Tlan-QZuJFHVTIhUCP-1k1m-z8-YM7JYbXWT9IgPskKgzRDCJSt6iXmV-jw"
}
但是当我这样做的时候:
{
"ns": "test",
"db": "test",
"sc": "user",
"email": "tobiedsfds2@surrealdb.com",
"pass": "some password"
}
正如你所看到的,我在没有注册的电子邮件中添加了一些随机字符,我仍然得到了200个响应。同样,当我尝试用一个重复的电子邮件注册时,也成功了。
有什么解释可能有助于理解这里发生的事情吗?
在根设置中,您应该启用这个
---define SCHEMAFULL and PERMISSIONS
DEFINE TABLE user SCHEMAFULL
PERMISSIONS
FOR select, update WHERE id = $auth.id,
FOR create, delete NONE;
--- define FIELD's
DEFINE FIELD user ON user TYPE string;
DEFINE FIELD pass ON user TYPE string;
DEFINE FIELD settings.* ON user TYPE object;
DEFINE FIELD settings.marketing ON user TYPE string;
DEFINE FIELD tags ON user TYPE array;
-- Give the user table an email field. Store it in a string
DEFINE FIELD email ON TABLE user TYPE string
-- Make this field required
ASSERT $value != NONE
-- Check if the value is a properly formatted email address
AND is::email($value);
--- define INDEX's
---DEFINE INDEX idx_user ON user COLUMNS user UNIQUE;
DEFINE INDEX idx_email ON user COLUMNS email UNIQUE;
从AND is::email($value);行可以看出,它确保它是唯一的。另外,请确保不要将请求发送到注册端点
如果用户已经登录,则必须退出才能尝试新用户。您应该使用db.invalidate()清除以前的任何身份验证信息并尝试使用新用户,如果您这样做,您应该无法使用随机用户凭据进行身份验证。来源:https://surrealdb.com/docs/integration/sdks/nodejs#invalidate