原文:https://www.codexpedia.com/node-js/a-very-basic-session-auth-in-node-js-with-express-js/

---------------------------------------------------------------------------------------------------------------------

Authentication is the process of verifying if the user is in fact who he/she is declared to be. Authorization is the process of determining if the user has the privileges to access the resources he/she requested.
This node.js code snippet demonstrated a very simple example of authentication and authorization process using session in express.js. There is a login endpoint, a logout endpoint and get post page. To see the post page, you have to login first, and your identity will be verified and saved in session. When you hit the logout endpoint, it will revoke your access by removing your identity from the session.
session_auth.js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
var express = require('express'),
    app = express(),
    session = require('express-session');
app.use(session({
    secret: '2C44-4D44-WppQ38S',
    resave: true,
    saveUninitialized: true
}));
 
// Authentication and Authorization Middleware
var auth = function(req, res, next) {
  if (req.session && req.session.user === "amy" && req.session.admin)
    return next();
  else
    return res.sendStatus(401);
};
 
// Login endpoint
app.get('/login', function (req, res) {
  if (!req.query.username || !req.query.password) {
    res.send('login failed');   
  } else if(req.query.username === "amy" || req.query.password === "amyspassword") {
    req.session.user = "amy";
    req.session.admin = true;
    res.send("login success!");
  }
});
 
// Logout endpoint
app.get('/logout', function (req, res) {
  req.session.destroy();
  res.send("logout success!");
});
 
// Get content endpoint
app.get('/content', auth, function (req, res) {
    res.send("You can only see this after you've logged in.");
});
 
app.listen(3000);
console.log("app running at http://localhost:3000");

To run the above code from command line

1
2
3
npm install express
npm install express-session
node session_auth.js &

Visit these urls in a browser
localhost:3000/content
localhost:3000/login?username=amy&password=amyspassword
localhost:3000/content
localhost:3000/logout
localhost:3000/content

Code explanation
Import express and express-session modules. Create express app and add session to express app as a middleware.

1
2
3
4
5
6
7
8
var express = require('express'),
    app = express(),
    session = require('express-session');
app.use(session({
    secret: '2C44-4D44-WppQ38S',
    resave: true,
    saveUninitialized: true
}));

Authentication and authorization middleware function. Grant the next step if the user is amy and if she has the admin access. The values to check against is hardcoded for demonstration purpose. A real web app will get the user and user access level from session, and then check against the user and user access lever from a database on the server.

1
2
3
4
5
6
7
// Authentication and Authorization Middleware
var auth = function(req, res, next) {
  if (req.session && req.session.user === "amy" && req.session.admin)
    return next();
  else
    return res.sendStatus(401);
};

localhost:3000/login?username=amy&password=amyspassword, the login url to check log the user in by saving the user and user access level in a session. The session will be different for each user, and also be unique for the same user using different browsers. For example, if the same user logged in using Chrome, and the open up Firefox, the user will have to login again in FireFox in order to gain protected resources. For demonstration purpose, this is a get request and passing in the info through query parameters. A real web app will usually be using a post request and passing in the data in the post form. Again the user and passwords are hardcoded here for demonstration purpose. A real web app will check the incoming user and password against the user and password stored in a database on there server.

1
2
3
4
5
6
7
8
9
10
// Login endpoint
app.get('/login', function (req, res) {
  if (!req.query.username || !req.query.password) {
    res.send('login failed');   
  } else if(req.query.username === "amy" || req.query.password === "amyspassword") {
    req.session.user = "amy";
    req.session.admin = true;
    res.send("login success!");
  }
});

localhost:3000/logout, logout by destroy the session. Once the session is destroyed, the user will have to hit the login url again in order to gain protected resources.

1
2
3
4
5
// Logout endpoint
app.get('/logout', function (req, res) {
  req.session.destroy();
  res.send("logout success!");
});

localhost:3000/content, get the protected contents. The auth function above is passed in the second parameters as a middleware before it proceed to serve the content to the user. If the auth function determined the user is not valid, it will not proceed to the thrid function to serve the content.

1
2
3
4
// Get content endpoint
app.get('/content', auth, function (req, res) {
    res.send("You can only see this after you've logged in.");
});

Lastly, start the app by listening on port 3000.

1
2
app.listen(3000);
console.log("app running at http://localhost:3000");

nodejs 项目的session验证的更多相关文章

  1. Silverlight调用网站项目的Session

    项目中遇到Silverlight调网站Session的问题了,试了几种方法,用这种方法获取到了,如果有不对不恰当的地方,还望各路大神给指正出来. 解决方法: 1.Silverlight调用网站的接口 ...

  2. 使用spring-session共享springmvc项目的session

    一.说在前面 spring mvc项目,使用nginx,tomcat部署. 之前没做session共享,而nginx采用sticky模块进行分发. 但发现有时不能正确地指向同一台服务器,从而导致ses ...

  3. [转]同一个tomcat不同项目的session共享问题

    问题描述: session常常用来存储一些公共信息供不同页面访问,比如用户登录信息.访问同一个tomcat下的不同项目所创建的session是不一样的.自然地面临了如何共享session的问题. 解决 ...

  4. nodejs项目的model操作mongo

    想想以前学习hibernate的时候,学习各种表和表之间的映射关系等一对多,多对一,多对多,后来到了工作中,勇哥告诉我, 那时在学习的时候,公司中都直接用外键关联. 这里我们学习下,如何在Nodejs ...

  5. 应用集成-在Hexo、Hugo博客框架中使用Gitalk基于Github上仓库项目的issue无后端服务评论系统实践

    关注「WeiyiGeek」公众号 设为「特别关注」每天带你玩转网络安全运维.应用开发.物联网IOT学习! 希望各位看友[关注.点赞.评论.收藏.投币],助力每一个梦想. 本章目录 目录 0x00 Gi ...

  6. 老项目的#iPhone6于iPhone6Plus适配#iPhone6分辨率与适配

    技术博客http://www.cnblogs.com/ChenYilong/    本文永久地址为http://www.cnblogs.com/ChenYilong/p/4011744.html ,转 ...

  7. 更换已存在项目的svn的地址

      CreateTime--2017年11月23日16:20:14 Author:Marydon 如何更换已存在项目的svn的地址? 参考链接:http://blog.csdn.net/sinat_2 ...

  8. PHP项目的“苦逼”经历与思考

    PHP项目的"苦逼"经历与思考 PHP零基础.但因为项目人手不够的原因,被安排到一个用户"定制"项目. 该项目是用PHP生成的统计数据报表. 而用户又有新的3个 ...

  9. maven项目的pom.xml文件详解

    <project xmlns="http://maven.apache.org/POM/4.0.0 " 2 xmlns:xsi="http://www.w3.org ...

随机推荐

  1. STM32F4 Timer External Clock TI2 Both Edges Demo

    #define CLK_FREQ ( 10000 ) #define CORE_FREQ ( 168000000 ) static void TIM_GPIO_Config( void ) { GPI ...

  2. STM32F4 Timer simplified block diagram

    Timers TIM1 and TIM8 use 16-bit counters and are the most complex timers of all timers included in t ...

  3. 使用JavaScript的数组实现数据结构中的队列与堆栈

    今天在项目中要使用JavaScript实现数据结构中的队列和堆栈,这里做一下总结. 一.队列和堆栈的简单介绍 1.1.队列的基本概念 队列:是一种支持先进先出(FIFO)的集合,即先被插入的数据,先被 ...

  4. MongoDB C# 驱动的各种版本下载地址

    https://github.com/mongodb/mongo-csharp-driver/releases

  5. 使用 MVVMLight 命令绑定(转)

    继上一篇文章的项目,我们实现了数据绑定到界面中.这篇文章我们将实现把命令绑定到按钮上,在XAML中的Button之类的都会有个Command属性可以让我们来绑定命令使用. 首先我们要实现的目标是,在界 ...

  6. 【docker】docker的简单状态监控

    命令: docker stats 可以使用占位符,显示想要看的信息: docker stats --format "table {{.Container}}\t{{.CPUPerc}}\t{ ...

  7. Android Initializing a Build Environment

    from://https://source.android.com/source/initializing.html#next-download-the-source Initializing a B ...

  8. YII框架分析笔记2:组件和事件行为管理

    Yii是一个基于组件.用于开发大型 Web 应用的高性能 PHP 框架.CComponent几乎是所有类的基类,它控制着组件与事件的管理,其方法与属性如下,私有变量$_e数据存放事件(evnet,有些 ...

  9. mysql update select

    根据文件名 更新外键ID UPDATE tb_obj  INNER JOIN tb_img ON tb_img.filename=tb_obj.filename  SET tb_objinfo.img ...

  10. [Android Pro] AndroidStudio IDE界面插件开发(进阶篇之Action机制)

    转载请注明出处:[huachao1001的专栏:http://blog.csdn.net/huachao1001/article/details/53883500] 从上一篇<AndroidSt ...