你好,
我正在尝试建立一个登录系统,客户端和管理员都可以登录。如果用户是管理员,那么他/她将被重定向到管理面板。如果不是,那么用户将被重定向至网店的主页。我在身份验证的逻辑方面有点吃力。我正在尝试确定用户是否登录。如果是,则我通过检查"isAdmin"是真是假来验证用户角色。我通过在数据库中查找isAdmin状态来查找用户。我正在使用jwt令牌来获取用户的状态。
身份验证:
const { verify } = require("jsonwebtoken");
const userModel = require("../model/userModel");
// const isAuth = req => {
// const authorization = req.headers["authorization"];
// if (!authorization) throw new Error("You need to login");
// const token = authorization.split(" ")[1];
// const { userId } = verify(token, process.env.ACCESS_TOKEN_SECRET);
// return userId;
// };
const isAuth = (req, res, next) => {
const token = req.header("auth-token");
if (!token) return res.status(401).send("Access denied");
//verifying the token then sending the id back of the user
try {
const verified = verify(token, process.env.SECRET);
req.user = verified;
next();
} catch (err) {
res.status(400).send("Invalid");
}
};
//isAdmin
const isAdmin = async (req, res, next) => {
const token = req.header("auth-token");
if (!token) return res.status(401).send("No User");
try {
const verified = verify(token, process.env.SECRET);
req.user = verified;
let user = await userModel.findOne({ isAdmin });
if (req.user && user.isAdmin === true) {
return next();
}
} catch (err) {
return res.status(401).send({ msg: "Admin token is not valid" });
}
};
//check user
// const checkUser = (req, res, next) => {
// //get token from cookies
// const token = req.cookies.jwt;
// //check if token exists
// if (token) {
// verify(token, process.env.SECRET, async (err, decode) => {
// if (err) {
// console.log(err.message);
// next();
// res.locals.user = null;
// } else {
// console.log(decode);
// next();
// let user = await userModel.findOne(decode.isAdmin);
// res.local.user = user;
// next();
// }
// });
// } else {
// }
// };
module.exports = {
isAuth,
isAdmin,
};
路线:
router.post("/login", async (req, res) => {
const user = await User.findOne({ email: req.body.email });
if (!user) res.send({ error: "User does not exists" });
const validPass = await compare(req.body.password, user.password);
if (!validPass) {
return res.json({ error: "email or password is incorrect" });
}
const token = sign(
{ _id: user._id, isAdmin: user.isAdmin },
process.env.SECRET,
{
expiresIn: "24h",
},
);
res.header("auth-token", token).send({
token,
email: req.body.email,
id: user._id,
});
});
router.get("/adminPanel", isAdmin, isAuth, (req, res) => {
res.json({
title: "ADMIN PANEL",
});
});
基于我对您的问题的评论的代码
const { verify } = require("jsonwebtoken");
const userModel = require("../model/userModel");
const isAuth = (req, res, next) => {
const token = req.header("auth-token");
if (!token) return res.status(401).send("Access denied");
try {
const verified = verify(token, process.env.SECRET);
req.user = verified;
console.log('Am i admin?', req.user.isAdmin);
next();
} catch (err) {
res.status(400).send("Invalid token");
}
};
const isAdmin = async (req, res, next) => {
// no need to verify token again
// the `req.user.isAdmin` is already available from isAuth
// also no need to query a database, we have all the info we need from the token
if (!req.user.isAdmin)
return res.status(401).send({ msg: "Not an admin, sorry" });
next();
};
router.post("/login", async (req, res) => {
const user = findUserSomehow();
const token = sign({ _id: user._id, isAdmin: user.isAdmin }, process.env.SECRET, { expiresIn: "24h" });
res.header("auth-token", token).send({
token,
email: req.body.email,
id: user._id,
});
});
// notice the order of middlewares, isAuth first
router.get("/adminPanel", isAuth, isAdmin, (req, res) => {
res.json({
title: "ADMIN PANEL",
});
});