每当我在路由中使用checkadmin中间件时,我都有一个空的req.user问题
因此,我正在尝试使此中间件检查用户的角色是否允许他创建一个新用户,但是它是失败的,当我从路由中删除中间件时,系统可以正常工作并保存用户(OFC没有(检查是否是管理员(
这是我的路线文件:
const express = require('express');
const UserController = require('../controllers/user');
const { verificaToken, verificaAdminRol } = require('../middlewares/autenticacion');
const api = express.Router();
api.get('/home', UserController.home);
api.post('/login', UserController.loginUser);
api.post('/save', [verificaAdminRol, verificaToken], UserController.saveUser);
api.get('/listar/:id', verificaToken, UserController.getUsuario);
api.get('/listar', verificaToken, UserController.getAllUsers);
api.put('/actualizar/:id', verificaToken, UserController.actualizarUsuario);
module.exports = api;
这是我的控制器文件:
const bcrypt = require('bcrypt');
const jwt = require('jsonwebtoken');
const _ = require('underscore');
//Importar modelo
const User = require('../models/user');
function home(req, res) {
res.json({ ok: true, msg: "home de usuarios" });
}
function saveUser(req, res) {
//Recibimos los datos enviados
let body = req.body;
//Se crea un nuevo Objeto Usuario con los datos recibidos
let user = new User({
name: body.name,
surname: body.surname,
nick: body.nick,
email: body.email,
//Encriptación del password
password: bcrypt.hashSync(body.password, 10),
role: body.role
});
//Se guarda el user en la BD
user.save((err, usuarioDB) => {
if (err) {
return res.status(400).json({
ok: false,
msg: `Error ${err}`
})
}
return res.send({
ok: true,
user: usuarioDB,
msg: "Usuario creado exitosamente."
})
});
}
function loginUser(req, res) {
let body = req.body;
User.findOne({ email: body.email }, (err, usuarioDB) => {
if (err) {
return res.status(500).json({ ok: false, msg: `Error ${err}` });
}
if (!usuarioDB) {
return res.status(400).json({ ok: false, msg: "Email incorrecto" });
}
if (!bcrypt.compareSync(body.password, usuarioDB.password)) {
return res.status(400).json({ ok: false, msg: "Password incorrecto" });
}
//creando el token
let token = jwt.sign({
user: usuarioDB
}, process.env.SEED, { expiresIn: process.env.CADUCIDAD_TOKEN });
if (usuarioDB) {
return res.send({
ok: true,
user: usuarioDB,
token
})
}
});
}
module.exports = {
home,
saveUser,
loginUser
}
这是我的中间件文件:
const jwt = require('jsonwebtoken');
//==============================================
//Verificar que el token sea válido
//==============================================
let verificaToken = (req, res, next) => {
//1- Leer el token que viene en el header llamado 'token'
let token = req.get('token');
//token, semilla, callback(error, objeto desencriptado)
jwt.verify(token, process.env.SEED, (err, decoded) => {
if (err) {
return res.status(401).json({
ok: false,
err: {
message: "Token no válido."
}
});
}
req.user = decoded.user;
next();
});
};
//====================================================================
//Verificar que el usuario sea ADMIN para crear, actualizar y eliminar
//====================================================================
//this is the one with the problem
let verificaAdminRol = (req, res, next) => {
let usuario = req.user;
if (usuario.role === 'ADMIN') {
next(); //puedo continuar, pasó la verificación
} else {
return res.json({
ok: false,
message: "Debe tener privilegios de ADMIN para poder realizar esta operación"
});
}
};
module.exports = {
verificaToken,
verificaAdminRol
}
最后,这是我尝试使用" verificaadminrol"中间件创建新用户时遇到的错误:
TypeError: Cannot read property 'role' of undefined
at verificaAdminRol (C:UsersgorydevDocumentsDevelopmentudemyred-socialmiddlewaresautenticacion.js:35:17)
at Layer.handle [as handle_request] (C:UsersgorydevDocumentsDevelopmentudemyred-socialnode_modulesexpresslibrouterlayer.js:95:5)
at next (C:UsersgorydevDocumentsDevelopmentudemyred-socialnode_modulesexpresslibrouterroute.js:137:13)
at Route.dispatch (C:UsersgorydevDocumentsDevelopmentudemyred-socialnode_modulesexpresslibrouterroute.js:112:3)
at Layer.handle [as handle_request] (C:UsersgorydevDocumentsDevelopmentudemyred-socialnode_modulesexpresslibrouterlayer.js:95:5)
at C:UsersgorydevDocumentsDevelopmentudemyred-socialnode_modulesexpresslibrouterindex.js:281:22
at Function.process_params (C:UsersgorydevDocumentsDevelopmentudemyred-socialnode_modulesexpresslibrouterindex.js:335:12)
at next (C:UsersgorydevDocumentsDevelopmentudemyred-socialnode_modulesexpresslibrouterindex.js:275:10)
at Function.handle (C:UsersgorydevDocumentsDevelopmentudemyred-socialnode_modulesexpresslibrouterindex.js:174:3)
at router (C:UsersgorydevDocumentsDevelopmentudemyred-socialnode_modulesexpresslibrouterindex.js:47:12)
at Layer.handle [as handle_request] (C:UsersgorydevDocumentsDevelopmentudemyred-socialnode_modulesexpresslibrouterlayer.js:95:5)
at trim_prefix (C:UsersgorydevDocumentsDevelopmentudemyred-socialnode_modulesexpresslibrouterindex.js:317:13)
at C:UsersgorydevDocumentsDevelopmentudemyred-socialnode_modulesexpresslibrouterindex.js:284:7
at Function.process_params (C:UsersgorydevDocumentsDevelopmentudemyred-socialnode_modulesexpresslibrouterindex.js:335:12)
at next (C:UsersgorydevDocumentsDevelopmentudemyred-socialnode_modulesexpresslibrouterindex.js:275:10)
at jsonParser (C:UsersgorydevDocumentsDevelopmentudemyred-socialnode_modulesbody-parserlibtypesjson.js:101:7)
我的项目结构是:
/project
->/controllers
---->user.js
->/middlewares
---->autenticacion.js
->/models
---->user.js
->/routes
---->user.js
我相信您的中间件不订购。您的中间件verificaToken
设置您的req.user
值,但它是在访问该值的verificaAdminRol
之后运行的。请参阅此处:
api.post('/save', [verificaAdminRol, verificaToken], UserController.saveUser);
需要:
api.post('/save', [verificaToken, verificaAdminRol], UserController.saveUser);
让我知道这是否有效。
编辑:旁注。最佳实践说您不应直接写入req
对象。Express提供req.locals
以按请求为基础,以传递中间件和路由之间的值。只是一个建议。