Node.js 如何使用connect保护管理部分,确保通过express router登录Passport?
我正在使用PassportJS,连接确保登录,mongoose,express。 我试图将用户重定向到Node.js 如何使用connect保护管理部分,确保通过express router登录Passport?,node.js,express,mongoose,passport.js,mean-stack,Node.js,Express,Mongoose,Passport.js,Mean Stack,我正在使用PassportJS,连接确保登录,mongoose,express。 我试图将用户重定向到admin/error,如果他们经过身份验证,但不是管理员!我已经设置了UserSchemauser.local.role,其中存储了admin/contributor/manager/user中的字符串 如果用户未通过身份验证,则应首先将其重定向到/login页面(在其他路由器文件中设置)。如果用户.local.role为=管理员,他将被重定向到/admin/error。否则,他应按要求访问该
admin/erroruser.local.role/login用户.local.role=管理员,他将被重定向到/admin/error
。否则,他应按要求访问该页面
注意,在文档中保存user.local.role
时,我确保在保存之前将字符串转换为小写
问题-在每个/admin/*
页面中,即使用户已登录并且user.local.role==“admin”
,他也会被重定向到/admin/error
,并带有某种警告:
GET /admin/error 302 729.533 ms - 68
Error: Can't set headers after they are sent.
at ServerResponse.OutgoingMessage.setHeader (_http_outgoing.js:356:11)
下面是我的routes.js函数:
var Setting = require('../../models/setting');
var User = require('../../models/user');
var ensureLoggedIn = require('connect-ensure-login').ensureLoggedIn;
module.exports = function(app, passport) {
app.get('/admin/*', ensureLoggedIn('/login'), isAdmin, function(req, res, next) {
next();
});
app.get('/admin/error', sabSettings, function(req, res) {
res.render('admin/error', {
title: "You ain't an admin",
user: req.user,
setting: req.setting,
error: req.flash('error')
});
});
app.get('/admin/settings', ensureLoggedIn('/login'), function(req, res) {
Setting.findOne(function(err, setting) {
if (err) {
return res.send(500, err);
}
res.render('admin/customize/logo', {
title: 'Change Setting | eduBird Admin Panel',
user: req.user,
setting: setting,
success: req.flash('success')
// setting: res.settings
});
});
});
app.post('/admin/settings/logo', function(req, res) {
//....
});
app.get('/admin/settings/users/', ensureLoggedIn('/login'), sabSettings, function(req, res) {
// ...
});
app.post('/admin/settings/user/:pno', ensureLoggedIn('/login'), function(req, res) {
// ...
});
app.get('/admin/settings/user/delete/:pno', ensureLoggedIn('/login'), function(req, res) {
// ...
});
app.get('/admin/settings/user/verify/:pno', ensureLoggedIn('/login'), function(req, res) {
///..
});
};
function sabSettings(req, res, next) {
Setting.findOne(function(err, setting) {
if (err)
next(err);
req.setting = setting;
next();
});
};
function isAdmin(req, res, next) {
if ((req.isAuthenticated()) && (req.user.local.role == 'admin')) {
next();
}
req.flash('error', 'Seems like you aren\'t an admin!')
res.redirect('/admin/error');
};
下面是我的视图/admin/error/pug
文件:
extends customize/adminLayout
block content
//- h1= message //- h2= error.status //- pre #{error.stack}
.center.container(style='margin: 2em; padding: 2em; background:
#e8eaf6;')
img(src=setting.logo.logo128)
h1.indigo-text.text-darken-4 Oops!
h2.indigo-text.text-darken-4 Seems like our bird can't give you access to this page!
div.indigo-text.text-lighten-4.indigo.darken-4(style='padding: 1.8em;')
h3 Tweet Tweet!:
//- h2= error.status
h4= You should be an admin to access the page
h5.indigo-text We are redirecting you back to the bird's home #[span#count 32] seconds
.progress.white.lighten-3(style='margin-top: 3em')
.indeterminate.indigo.darken-4 script(type='text/javascript').
$(document).ready(function(){
var count = 32;
setInterval(function(){
count--;
$('#count')[0].innerHTML = count;
if (count == 0) {
window.location = '/loggedin';
}
},1000);
});
任何帮助都将不胜感激。我自己做了这件事,但我没有在控制器端设置条件,而是将其放置在我的布局视图上,看起来像这样:
doctype html
html
head
title= title
//- link(rel='stylesheet', href='')
//- script(src='')
// ....
body
include ../includes/navbar
.row.mainRow
//- Sidebar
if ((user.local.role == 'admin') || (user.local.role == 'manager'))
include ../includes/sidebar
block content
include ../includes/rightSidebar
//- footer
else
p You can't view this page because you are not admin
//- And So on.....
虽然这是可行的,但我也希望控制器端验证更加安全,如果有人知道,请发布您的答案。:)