Javascript Expressjs身份验证
我有一些关于登录和会话的问题。我有以下代码: 数据库查询:Javascript Expressjs身份验证,javascript,authentication,node.js,express,Javascript,Authentication,Node.js,Express,我有一些关于登录和会话的问题。我有以下代码: 数据库查询: login: function(req,callback) { var query = 'SELECT id FROM users WHERE email = "' + req.body.email_login + '" AND password = "' + hashlib.sha1(req.body.password_login) + '" LIMIT 1'; client.query(query, callback
login: function(req,callback) {
var query = 'SELECT id FROM users WHERE email = "' + req.body.email_login + '" AND password = "' + hashlib.sha1(req.body.password_login) + '" LIMIT 1';
client.query(query, callback);
}
app.post('/login', function(req, res, next) {
users.login(req,function(err, results) {
if (err) {
res.render('index');
} else if (results[0]) {
req.session.userdata = results[0];
req.session.is_logged_in = true;
res.render('site/news');
}
}
}
var auth = function (req, res, next) {
if (req.session.userdata && req.session.is_logged_in === true) {
next();
} else {
res.redirect('/');
}
}
// e.g. get the session.id from dynamichelper
if (data.userid === session.userdata.id) {
// The form where user can change his data contained within here
}
路线:
login: function(req,callback) {
var query = 'SELECT id FROM users WHERE email = "' + req.body.email_login + '" AND password = "' + hashlib.sha1(req.body.password_login) + '" LIMIT 1';
client.query(query, callback);
}
app.post('/login', function(req, res, next) {
users.login(req,function(err, results) {
if (err) {
res.render('index');
} else if (results[0]) {
req.session.userdata = results[0];
req.session.is_logged_in = true;
res.render('site/news');
}
}
}
var auth = function (req, res, next) {
if (req.session.userdata && req.session.is_logged_in === true) {
next();
} else {
res.redirect('/');
}
}
// e.g. get the session.id from dynamichelper
if (data.userid === session.userdata.id) {
// The form where user can change his data contained within here
}
验证中间件:
login: function(req,callback) {
var query = 'SELECT id FROM users WHERE email = "' + req.body.email_login + '" AND password = "' + hashlib.sha1(req.body.password_login) + '" LIMIT 1';
client.query(query, callback);
}
app.post('/login', function(req, res, next) {
users.login(req,function(err, results) {
if (err) {
res.render('index');
} else if (results[0]) {
req.session.userdata = results[0];
req.session.is_logged_in = true;
res.render('site/news');
}
}
}
var auth = function (req, res, next) {
if (req.session.userdata && req.session.is_logged_in === true) {
next();
} else {
res.redirect('/');
}
}
// e.g. get the session.id from dynamichelper
if (data.userid === session.userdata.id) {
// The form where user can change his data contained within here
}
我使用数据库存储进行会话
现在我的问题是:
1) 这样做安全吗?或者我应该考虑另一种方式吗?
2) 假设我有这个URL/domain/users/1
,其中最后一段是用于获取用户数据的用户id。
在这个视图中,我有一个用于更改用户数据的表单。检查用户id是否与会话用户id匹配,然后显示表单是否安全
在视图中:
login: function(req,callback) {
var query = 'SELECT id FROM users WHERE email = "' + req.body.email_login + '" AND password = "' + hashlib.sha1(req.body.password_login) + '" LIMIT 1';
client.query(query, callback);
}
app.post('/login', function(req, res, next) {
users.login(req,function(err, results) {
if (err) {
res.render('index');
} else if (results[0]) {
req.session.userdata = results[0];
req.session.is_logged_in = true;
res.render('site/news');
}
}
}
var auth = function (req, res, next) {
if (req.session.userdata && req.session.is_logged_in === true) {
next();
} else {
res.redirect('/');
}
}
// e.g. get the session.id from dynamichelper
if (data.userid === session.userdata.id) {
// The form where user can change his data contained within here
}
服务器将使用SSL
提前谢谢
George在db查询代码中,检查req.body.email\u登录名和req.body.password\u登录名,以确保它们不为空且为字符串。有人可能会发送一个空的响应,这将在您这边生成一个内部错误 同样在路由中,您可能希望记录错误并将用户重定向到/500.html页面(内部错误): 您不应该在视图中执行此操作:
if(data.userid === session.userdata.id) { //The form where user can change his data contained within here }
尝试在模型中实现这一点(最好),为其创建一个函数,并仅向视图传递一个参数,如下所示:
res.render('view', { loggedIn: true });
模型中的函数:
function checkUser(id, session) {
return (userid === session.userdata.id);
}
...
module.exports.checkUser = checkUser;
您可以这样从路线调用它(例如):
你可能还想再看一次Hi:)好的,好的建议,但我不确定我是否掌握了一件事,为什么我不应该在视图中检查id?那会是什么样子?也许是个小例子?你可以这样做,这只是一个建议,让这些东西在其他地方结构化:助手,模型。我现在要加上这个例子。哦,我明白了,这是一个很好的方法。更易于维护。谢谢你的建议:)