原文:https://www.codexpedia.com/node-js/a-very-basic-session-auth-in-node-js-with-express-js/

---------------------------------------------------------------------------------------------------------------------

Authentication is the process of verifying if the user is in fact who he/she is declared to be. Authorization is the process of determining if the user has the privileges to access the resources he/she requested.
This node.js code snippet demonstrated a very simple example of authentication and authorization process using session in express.js. There is a login endpoint, a logout endpoint and get post page. To see the post page, you have to login first, and your identity will be verified and saved in session. When you hit the logout endpoint, it will revoke your access by removing your identity from the session.
session_auth.js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
var express = require('express'),
    app = express(),
    session = require('express-session');
app.use(session({
    secret: '2C44-4D44-WppQ38S',
    resave: true,
    saveUninitialized: true
}));
 
// Authentication and Authorization Middleware
var auth = function(req, res, next) {
  if (req.session && req.session.user === "amy" && req.session.admin)
    return next();
  else
    return res.sendStatus(401);
};
 
// Login endpoint
app.get('/login', function (req, res) {
  if (!req.query.username || !req.query.password) {
    res.send('login failed');   
  } else if(req.query.username === "amy" || req.query.password === "amyspassword") {
    req.session.user = "amy";
    req.session.admin = true;
    res.send("login success!");
  }
});
 
// Logout endpoint
app.get('/logout', function (req, res) {
  req.session.destroy();
  res.send("logout success!");
});
 
// Get content endpoint
app.get('/content', auth, function (req, res) {
    res.send("You can only see this after you've logged in.");
});
 
app.listen(3000);
console.log("app running at http://localhost:3000");

To run the above code from command line

1
2
3
npm install express
npm install express-session
node session_auth.js &

Visit these urls in a browser
localhost:3000/content
localhost:3000/login?username=amy&password=amyspassword
localhost:3000/content
localhost:3000/logout
localhost:3000/content

Code explanation
Import express and express-session modules. Create express app and add session to express app as a middleware.

1
2
3
4
5
6
7
8
var express = require('express'),
    app = express(),
    session = require('express-session');
app.use(session({
    secret: '2C44-4D44-WppQ38S',
    resave: true,
    saveUninitialized: true
}));

Authentication and authorization middleware function. Grant the next step if the user is amy and if she has the admin access. The values to check against is hardcoded for demonstration purpose. A real web app will get the user and user access level from session, and then check against the user and user access lever from a database on the server.

1
2
3
4
5
6
7
// Authentication and Authorization Middleware
var auth = function(req, res, next) {
  if (req.session && req.session.user === "amy" && req.session.admin)
    return next();
  else
    return res.sendStatus(401);
};

localhost:3000/login?username=amy&password=amyspassword, the login url to check log the user in by saving the user and user access level in a session. The session will be different for each user, and also be unique for the same user using different browsers. For example, if the same user logged in using Chrome, and the open up Firefox, the user will have to login again in FireFox in order to gain protected resources. For demonstration purpose, this is a get request and passing in the info through query parameters. A real web app will usually be using a post request and passing in the data in the post form. Again the user and passwords are hardcoded here for demonstration purpose. A real web app will check the incoming user and password against the user and password stored in a database on there server.

1
2
3
4
5
6
7
8
9
10
// Login endpoint
app.get('/login', function (req, res) {
  if (!req.query.username || !req.query.password) {
    res.send('login failed');   
  } else if(req.query.username === "amy" || req.query.password === "amyspassword") {
    req.session.user = "amy";
    req.session.admin = true;
    res.send("login success!");
  }
});

localhost:3000/logout, logout by destroy the session. Once the session is destroyed, the user will have to hit the login url again in order to gain protected resources.

1
2
3
4
5
// Logout endpoint
app.get('/logout', function (req, res) {
  req.session.destroy();
  res.send("logout success!");
});

localhost:3000/content, get the protected contents. The auth function above is passed in the second parameters as a middleware before it proceed to serve the content to the user. If the auth function determined the user is not valid, it will not proceed to the thrid function to serve the content.

1
2
3
4
// Get content endpoint
app.get('/content', auth, function (req, res) {
    res.send("You can only see this after you've logged in.");
});

Lastly, start the app by listening on port 3000.

1
2
app.listen(3000);
console.log("app running at http://localhost:3000");

nodejs 项目的session验证的更多相关文章

  1. Silverlight调用网站项目的Session

    项目中遇到Silverlight调网站Session的问题了,试了几种方法,用这种方法获取到了,如果有不对不恰当的地方,还望各路大神给指正出来. 解决方法: 1.Silverlight调用网站的接口 ...

  2. 使用spring-session共享springmvc项目的session

    一.说在前面 spring mvc项目,使用nginx,tomcat部署. 之前没做session共享,而nginx采用sticky模块进行分发. 但发现有时不能正确地指向同一台服务器,从而导致ses ...

  3. [转]同一个tomcat不同项目的session共享问题

    问题描述: session常常用来存储一些公共信息供不同页面访问,比如用户登录信息.访问同一个tomcat下的不同项目所创建的session是不一样的.自然地面临了如何共享session的问题. 解决 ...

  4. nodejs项目的model操作mongo

    想想以前学习hibernate的时候,学习各种表和表之间的映射关系等一对多,多对一,多对多,后来到了工作中,勇哥告诉我, 那时在学习的时候,公司中都直接用外键关联. 这里我们学习下,如何在Nodejs ...

  5. 应用集成-在Hexo、Hugo博客框架中使用Gitalk基于Github上仓库项目的issue无后端服务评论系统实践

    关注「WeiyiGeek」公众号 设为「特别关注」每天带你玩转网络安全运维.应用开发.物联网IOT学习! 希望各位看友[关注.点赞.评论.收藏.投币],助力每一个梦想. 本章目录 目录 0x00 Gi ...

  6. 老项目的#iPhone6于iPhone6Plus适配#iPhone6分辨率与适配

    技术博客http://www.cnblogs.com/ChenYilong/    本文永久地址为http://www.cnblogs.com/ChenYilong/p/4011744.html ,转 ...

  7. 更换已存在项目的svn的地址

      CreateTime--2017年11月23日16:20:14 Author:Marydon 如何更换已存在项目的svn的地址? 参考链接:http://blog.csdn.net/sinat_2 ...

  8. PHP项目的“苦逼”经历与思考

    PHP项目的"苦逼"经历与思考 PHP零基础.但因为项目人手不够的原因,被安排到一个用户"定制"项目. 该项目是用PHP生成的统计数据报表. 而用户又有新的3个 ...

  9. maven项目的pom.xml文件详解

    <project xmlns="http://maven.apache.org/POM/4.0.0 " 2 xmlns:xsi="http://www.w3.org ...

随机推荐

  1. Fiddler_解决Fiddler查看Post参数中文乱码的问题

    解决Fiddler查看Post参数中文乱码的问题 今天一个同事问我,为什么用Fiddler查看Post的中文参数,是一堆乱码,如下: 需要在注册表中增加一个键值: HKEY_CURRENT_USER\ ...

  2. 使用CefSharp在.Net程序中嵌入Chrome浏览器(七)——右键菜单

    一个常用的功能就是禁止浏览器本身的右键菜单,靠在WPF中拦截鼠标事件是不行的,可以通过设置MenuHandler来实现. 首先实现一个IContextMenuHandler. public class ...

  3. ARM JTAG 调试原理

    ARM JTAG 调试原理 JTAG的接口是一种特殊的4/5个接脚接口连到芯片上 ,所以在电路版上的很多芯片可以将他们的JTAG接脚 通过Daisy Chain的方式连在一起,并且Probe只需连接到 ...

  4. Linux/CentOS服务器 一个网卡绑定多IP地址(永久设置)

    有时我们在使用 Linux 服务器时需要配置多个IP地址.如果要配置多个IP地址是否需要多块网卡呢?答案是否定的.以 CentOS 系统为例,多个 IP 地址是可以共享一块物理网卡的. 如何永久为单网 ...

  5. 自己动手写Vue插件Toast

    <style> .vue-toast { width: 100%; height: 100%; position: fixed; top: 0px; left: 0px; backgrou ...

  6. 为什么MacBook装Windows这么火?

    Mac到底要不要装Windows?一直以来这都是个很有争议性的话题.只要你经常浏览国内一些知名Mac论坛,就会发现那里不仅有各种Mac装Windows教学贴.讨论区,而且时不时还会冒出关于“Mac装不 ...

  7. unlocked_ioctl和compat_ioctl

    参考: https://www.cnblogs.com/super119/archive/2012/12/03/2799967.html https://lwn.net/Articles/119652 ...

  8. Delphi XE5 android 获取网络状态《转》

    unit Androidapi.JNI.Network; interface function IsConnected: Boolean; function IsWiFiConnected: Bool ...

  9. finger-guessing game:3增加猜拳次数及猜拳按钮显示

    增加猜拳次数及猜拳按钮 //初始化引擎组件 init(50, "div_caiquan", 800, 400, main); //定义游戏层,加载进度层.游戏背景层,结果显示层,出 ...

  10. Windows Phone本地数据库(SQLCE):6、[Index] attribute(翻译)(转)

    这是“windows phone mango本地数据库(sqlce)”系列短片文章的第六篇. 为了让你开始在Windows Phone Mango中使用数据库,这一系列短片文章将覆盖所有你需要知道的知 ...