javascript - 使用 Flatiron 的 Resourceful & Restful 进行身份验证和授权

Question

我想在Flatiron中实现认证授权堆栈(使用 Flatiron、Resourceful 和 Restful)。我想要求用户在尝试更改资源时具有必要的权限。在 Restful 自述文件中，有一个 note about authorization :

There are several ways to provide security and authorization for accessing resource methods exposed with restful. The recommended pattern for authorization is to use resourceful's ability for before and after hooks. In these hooks, you can add additional business logic to restrict access to the resource's methods.

It is not recommended to place authorization logic in the routing layer, as in an ideal world the router will be a reflected interface of the resource. In theory, the security of the router itself should be somewhat irrelevant since the resource could have multiple reflected interfaces that all required the same business logic.

TL;DR; For security and authorization, you should use resourceful's before and after hooks.

因此授权可以由 Resourceful 的 Hook 系统处理。

我的实际问题是每个 HTTP 请求开始时的身份验证过程。

假设我有一个资源 Post、一个 User 和一个资源 Session。 REST API 是使用 Restful 定义的。我对这个问题的主要关注是确保用户在创建帖子时有一个 session 。 save、update 等其他方法或创建用户等其他资源的方法应该类似。

文件app.js:

var flatiron = require('flatiron');
var app = flatiron.app;

app.resources = require('./resources.js');

app.use(flatiron.plugins.http);
app.use(restful);
app.start(8080, function(){
  console.log('http server started on port 8080');
});

文件resources.js:

var resourceful = require('resourceful');

var resources = exports;

resources.User = resourceful.define('user', function() {
  this.restful = true;
  this.string('name');
  this.string('password');
});

resources.Session = resourceful.define('session', function() {
  // note: this is not restful
  this.use('memory');
  this.string('session_id');
});

resources.Post = resourceful.define('post', function() {
  this.restful = true;
  this.use('memory');
  this.string('title');
  this.string('content');
});

resources.Post.before('create', function authorization(post, callback) {
  // What should happen here?
  // How do I ensure, a user has a session id?

  callback();
});

还有一个 runnable version of the code (感谢@generalhenry)。

所以假设一个用户试图创建一个帖子，已经被赋予了一个 session ID，该 session ID 随他通过 cookie header 发出的每个请求一起发送。如何在 before Hook (即 authorization 回调)中访问该 cookie？

该示例可以从 node app.js 开始，并且可以使用 curl 发出 HTTP 请求。

Answer 1

请记住，这些指南适用于授权流程。如果您需要使用 sessionId，您可以通过以下任一方式访问它:req.sessionID、req.cookies["connect.sid"]。

通过这种方式检查请求，您将确保每个用户都有有效的 session ID。

app.use(flatiron.plugins.http, {
  before: [
    connect.favicon(),
    connect.cookieParser('catpsy speeds'),
    function(req, res) {
      if (req.originalUrl === undefined) {
        req.originalUrl = req.url;
      }
      res.emit('next');
    },
    connect.session({secret : 'secter'}),
    function(req, res) {
      console.log('Authenticating...');
      console.dir(req.session);
      //any other validation logic
      if (req.url !== '/login' && typeof req.session.user == 'undefined') {
        res.redirect('/login');
      } else {
        res.emit('next');
      }
    }
  ]
});

这里是 project example使用这种方法。