gpt4 book ai didi

ajax - 在处理 POST 请求时确定谁在 Node 上使用 basicAuth 进行了身份验证

转载 作者:太空宇宙 更新时间:2023-11-03 23:42:57 26 4
gpt4 key购买 nike

我正在使用 basicAuth 来验证特定地址上的 POST。

在客户端,我使用以下形式的命令:

$.ajax({
type: "POST",
accepts: "text/plain",
url: "http://localhost:3000/somewhere",
data: JSON.stringify(something),
contentType: "application/json; charset=UTF-8",
dataType: "json",
success: function(data) {
window.alert("Received back: '" + data + "'");
},
username: theUsername,
password: "a password"
});

这工作正常,因为存储在 theUsername 中的用户名通过了我在 Node 上的身份验证机制。当用户经过身份验证时,我可以打印 console.log 语句并查看谁实际经过身份验证(我目前不验证密码)。但随后 POST 请求的实际处理开始。但是,此时我如何找出原始请求中使用的用户名和密码?我尝试查看请求的 header ,但没有看到任何内容。

最佳答案

当您收到基本身份验证请求时,您应该能够读取 req.headers.authorization 中的“授权” header 。您必须提取 Base64 编码的凭据,然后对其进行解码。据推测,在 Express 中您使用 req.header("authorization")req.get("authorization")

有关独立示例,请查看 https://gist.github.com/charlesdaniel/1686663我已将其复制在下面以供将来引用

var http = require('http');

var server = http.createServer(function(req, res) {
// console.log(req); // debug dump the request

// If they pass in a basic auth credential it'll be in a header called "Authorization" (note NodeJS lowercases the names of headers in its request object)

var auth = req.headers['authorization']; // auth is in base64(username:password) so we need to decode the base64
console.log("Authorization Header is: ", auth);

if(!auth) { // No Authorization header was passed in so it's the first time the browser hit us

// Sending a 401 will require authentication, we need to send the 'WWW-Authenticate' to tell them the sort of authentication to use
// Basic auth is quite literally the easiest and least secure, it simply gives back base64( username + ":" + password ) from the browser
res.statusCode = 401;
res.setHeader('WWW-Authenticate', 'Basic realm="Secure Area"');

res.end('<html><body>Need some creds son</body></html>');
}

else if(auth) { // The Authorization was passed in so now we validate it

var tmp = auth.split(' '); // Split on a space, the original auth looks like "Basic Y2hhcmxlczoxMjM0NQ==" and we need the 2nd part

var buf = new Buffer(tmp[1], 'base64'); // create a buffer and tell it the data coming in is base64
var plain_auth = buf.toString(); // read it back out as a string

console.log("Decoded Authorization ", plain_auth);

// At this point plain_auth = "username:password"

var creds = plain_auth.split(':'); // split on a ':'
var username = creds[0];
var password = creds[1];

if((username == 'hack') && (password == 'thegibson')) { // Is the username/password correct?

res.statusCode = 200; // OK
res.end('<html><body>Congratulations you just hax0rd teh Gibson!</body></html>');
}
else {
res.statusCode = 401; // Force them to retry authentication
res.setHeader('WWW-Authenticate', 'Basic realm="Secure Area"');

// res.statusCode = 403; // or alternatively just reject them altogether with a 403 Forbidden

res.end('<html><body>You shall not pass</body></html>');
}
}
});


server.listen(5000, function() { console.log("Server Listening on http://localhost:5000/"); });

关于ajax - 在处理 POST 请求时确定谁在 Node 上使用 basicAuth 进行了身份验证,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/19600419/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com