Node.js 节点，express-限制对可下载文件的访问_Node.js_Express

Node.js 节点，express-限制对可下载文件的访问

node.js express

Node.js 节点，express-限制对可下载文件的访问,node.js,express,Node.js,Express,我正在使用express作为micro services rest api的服务器。端点是从目录结构构建的。目前客户端很少有可下载的pdf文件。即使用户未登录门户，也可以下载（使用hrefURL）。所以，我把所有的pdf文件放到服务器上服务器上的目录结构： pdf文件位于docs目录中。请在下面找到服务器的代码： /* global __dirname */ import morgan from 'morgan'; import logger, { webStream } from './s

我正在使用

express

作为micro services rest api的服务器。端点是从目录结构构建的。目前客户端很少有可下载的pdf文件。即使用户未登录门户，也可以下载（使用

href

URL）。所以，我把所有的pdf文件放到服务器上

服务器上的目录结构：

pdf文件位于docs目录中。请在下面找到服务器的代码：

/* global __dirname */
import morgan from 'morgan';
import logger, { webStream } from './services/logger';
import { socket } from './services';

// set env variables before all else
import { GATEWAY_PORT, CORS_ORIGINS } from './config';

const express = require('express');
const bodyParser = require('body-parser');
const cookieParser = require('cookie-parser')();
const version = require('./services/utils').version();
const authentication = require('./services/authentication');
const utils = require('./services/utils');


// set up app and middleware
const app = express();

app.use(morgan('User::req[user-id] Correlation::req[x-correlation-id] Method::method URL::url Status::status :res[content-length] - :response-time ms', { stream: webStream }));

logger.info('Starting...');

app.use(cookieParser);
app.use(bodyParser.json({ limit: '50mb' }));
app.disable('x-powered-by');

// CORS headers to allow running client/server on different ports
app.use((req, res, next) => {
  // Check if the origin is whitelisted in the env vars
  const actual = req.headers.origin || '';
  if (utils.matchCors(actual, CORS_ORIGINS.split(','))) {
    res.set({ 'Access-Control-Allow-Origin': actual });
  }

  res.set({
    // standard CORS headers
    'Access-Control-Allow-Headers': 'Content-Type, Authorization, Accept, Accept-Language',
    'Access-Control-Allow-Credentials': true,
    'Access-Control-Allow-Methods': 'PATCH,POST,GET,DELETE',

    // addresses security issues identified by automated pen testing
    'X-Frame-Options': 'DENY',
    'X-Content-Type-Options': 'nosniff',
    'X-XSS-Protection': 1,
  });
  next();
});

// set the user property of the request object
app.use((req, res, next) => {
  const token = req.cookies[authentication.cookieName];
  if (!token) {
    req.user = false;
  } else {
    req.user = authentication.decodeJWT(token);
    authentication.setCookie(res, token, req.user);
  }
  utils.setCorrelationId(req.headers['x-correlation-id']);
  req.correlationId = req.headers['x-correlation-id'];
  next();
});

// helper function returning middleware to reject unauthorised users
function requiredRoles(roles, abcOnly) {
  return function requireRolesHandler(req, res, next) {
    if (
      !req.user
      || (abcOnly && !req.user.isabc)
      || !authentication.hasRole(req.user, roles)) {
      const error = new Error('UNAUTHORISED');
      error.status = 403;
      next(error);
    } else {
      next();
    }
  };
}

// Add the endpoints to express.
// Reversed to get literal routes before @ capture groups.
utils.parseDirectory(`${__dirname}/rest`, [], true).reverse().forEach((endpoint) => {
  const { auth, functions } = endpoint.handler;
  if (auth) {
    functions.unshift(requiredRoles(auth.roles, auth.abcOnly));
  }
  app[endpoint.method](
    endpoint.url,
    functions,
  );
});


// setup server
const server = app.listen(GATEWAY_PORT, () => {
  logger.info(`Allowed CORS: ${CORS_ORIGINS}`);
  logger.info(`Started ${version.name} (${version.number}) listening on ${GATEWAY_PORT}`);
});

socket.createServer(server);

当用户单击页面上的链接时，如何仅向授权用户提供服务器到客户端的pdf文件？

有下载文件的路径，例如

GET/api/download？file=abc.pdf

现在在中间件中

检查

req.user

是否存在

检查

用户是否有足够的权限下载文件或
不是


如果1和2满足要求，则提供文件


代码大致如下所示：
app.get('/api/download', (req, res, next) => {
  // Check if the request had valid token or not
  if(!req.user) {
    const error = new Error('UNAUTHORISED');
    error.status = 403;
    return next(error);
  }

  const { user } = req;
  const { file } = req.query;

  // If you want to have some additional logic wherein
  // you want to restrict the download of the file, 
  // you can put that logic in this function
  const isAllowed = canDownload(user, file);

  if(isAllowed) {
    return res.sendFile(path.join(__dirname, 'docs', path.sep, file));
  }
  const error = new Error('UNAUTHORISED');
  error.status = 403;
  return next(error);

})


您可能需要要求path
，实现canDownload
，或者由于使用\uuu dirname
而不解决此类文件或目录错误。所有这些都是微不足道的。如果你也需要帮助，请在评论中告诉我

以下是对

也可能有帮助。
有下载文件的路径，例如GET/api/download？file=abc.pdf

现在在中间件中
检查req.user
是否存在
检查用户是否有足够的权限下载文件或
不是

如果1和2满足要求，则提供文件


代码大致如下所示：
app.get('/api/download', (req, res, next) => {
  // Check if the request had valid token or not
  if(!req.user) {
    const error = new Error('UNAUTHORISED');
    error.status = 403;
    return next(error);
  }

  const { user } = req;
  const { file } = req.query;

  // If you want to have some additional logic wherein
  // you want to restrict the download of the file, 
  // you can put that logic in this function
  const isAllowed = canDownload(user, file);

  if(isAllowed) {
    return res.sendFile(path.join(__dirname, 'docs', path.sep, file));
  }
  const error = new Error('UNAUTHORISED');
  error.status = 403;
  return next(error);

})


您可能需要要求path
，实现canDownload
，或者由于使用\uuu dirname
而不解决此类文件或目录错误。所有这些都是微不足道的。如果你也需要帮助，请在评论中告诉我

以下是对

也许也会有帮助