我有一个删除操作作为我构建的 NodeJS API 的一部分。此删除应执行以下操作:
- 删除具有提供的 ID 的播放器对象
- 它不应删除其他用户创建的播放器。
在测试中,如果播放器是由其他用户创建的,则它会通过,但在尝试删除对象时会失败。这是代码:
router.delete('/:id', validateBearerToken, function(req, res) {
let playerId = req.params.id;
//get player object
let player = Player.find({created_by: playerId
}, function(err) {
if (err) return res.status(409).send('There was a problem finding the players.');
});
if (player.created_by !== getUserFromBearerToken(req.token)) {
return res.status(404).send('The player not created by this user');
}
Player.findByIdAndRemove(playerId, function(err) {
if (err) {
return res.status(404).send('There was a problem deleting the player.');
}
res.status(200).send({
success: true
});
});
});
validateBearerToken用于检查执行删除操作的用户是否有效
function validateBearerToken(req, res, next) {
let bearerToken;
let bearerHeader = req.headers.authorization;
if (typeof bearerHeader !== 'undefined') {
let bearer = bearerHeader.split('Bearer ');
bearerToken = bearer[1];
req.token = bearerToken;
next();
} else {
res.status(403).send();
}
}
gertUserFromBearerToken用于获取登录用户的id,以与测试中的"created_by"ID进行比较:
function getUserFromBearerToken(token) {
const decodedtoken = jwt.decode(token, process.env.JWT_SECRET);
return decodedtoken.id;
}
你验证中间件(validateBearerToken(应该是这样的
function validateBearerToken(req, res, next) {
var token = req.headers.authorization || req.headers['x-access-token'];
if (!token)
return res.status(403).send({ auth: false, message: 'No token provided.' });
jwt.verify(token, process.env.JWT_SECRET, function(err, decoded) {
if (err)
return res.status(500).send({ auth: false, message: 'Failed to authenticate token.' });
// if everything good, save to request for use in other routes
req.userId = decoded.id;
next();
});
}
然后在删除路由中检查像这样的ID
if (player.created_by !== req.userId) {
return res.status(404).send('The player not created by this user');
}