这是我的代码,如果cookie有授权,我保存它,或响应403
在token.js
module.exports = (req, res, next) => {
const bearerHeader = req.headers['authorization'];
console.log('verifyToken token=', bearerHeader)
if (bearerHeader) {
const bearer = bearerHeader.split(' ');
const bearerToken = bearer[1];
req.token = bearerToken;
next();
} else {
// Forbidden
console.log('Forbidden')
res.sendStatus(403).send("A token is required for authentication");
}
}
在api.js
const verifyToken = require('../tools/token.js')
router.post('/metadata', verifyToken, async (req, res, next) => {
console.log('api token =', req.headers['authorization'])
let config = { headers: { Authorization : 'Bearer ' + req.headers['authorization'] }}
try {
const res = await axios.post(src + '/record/metadata', '', config)
console.log('data=', res.data)
res.writeHead(200);
res.send(JSON.stringify(res.data))
} catch(err){
console.error(err)
res.writeHead(401);
}
})
得到err
Error: Request failed with status code 403
at createError (C:Usersqq861rabbit-backendnode_modulesaxioslibcorecreateError.js:16:15)
at settle (C:Usersqq861rabbit-backendnode_modulesaxioslibcoresettle.js:17:12)
at IncomingMessage.handleStreamEnd (C:Usersqq861rabbit-backendnode_modulesaxioslibadaptershttp.js:269:11)
at IncomingMessage.emit (events.js:412:35)
at endReadableNT (internal/streams/readable.js:1334:12)
at processTicksAndRejections (internal/process/task_queues.js:82:21) {
当我使用测试API时,它的状态为200
,但如果我使用授权与其他API,如响应403
,我想知道为什么我使用授权,但也得到403禁止…?
exports.login = async (req, res, next) => {
const email = req.body.email;
const password = req.body.password;
let loadedUser;
try {
const user = await User.findOne({ email: email });
if (!user) {
const error = new Error("A user with this email could not be found.");
error.statusCode = 401;
throw error;
}
loadedUser = user;
const isEqual = await bcrypt.compare(password, user.password);
if (!isEqual) {
const error = new Error("Wrong password!");
error.statusCode = 401;
throw error;
}
const token = jwt.sign(
{
email: loadedUser.email,
userId: loadedUser._id.toString(),
},
"somesupersecretsecret",
{ expiresIn: "1h" }
);
res.status(200).json({ token: token, userId: loadedUser._id.toString() });
} catch (err) {
if (!err.statusCode) {
err.statusCode = 500;
}
next(err);
}
};
之后,您必须创建一个认证中间件。当用户成功登录时,您可能必须集中精力创建令牌,并且您必须注意如何拆分和检查JWT令牌
const jwt = require('jsonwebtoken');
module.exports = (req, res, next) => {
const authHeader = req.get('Authorization');
if (!authHeader) {
const error = new Error('Not authenticated.');
error.statusCode = 401;
throw error;
}
const token = authHeader.split(' ')[1];
let decodedToken;
try {
decodedToken = jwt.verify(token, 'somesupersecretsecret');
} catch (err) {
err.statusCode = 500;
throw err;
}
if (!decodedToken) {
const error = new Error('Not authenticated.');
error.statusCode = 401;
throw error;
}
req.userId = decodedToken.userId;
next();
};