Why is passport.serializeUser executed on each request?

前端 未结 1 1560
礼貌的吻别
礼貌的吻别 2021-02-06 16:29

I am using passport.js + passport-facebook-token to secure my API build with Strongloop\'s Loopback Framework.

Why is passport serializing the deserialized user again af

1条回答
  •  渐次进展
    2021-02-06 17:05

    Regarding your question about why passport.authenticate is called on every request, it is because you defined it as a middleware, probably before any routing logic happens.

    If you have private and public sections on your app, you could do something like that :

    // Define a specific that will handle authentication logic
    app.get("/auth", passport.authenticate('facebook-token',function(){...});
    
    // Public sections which do not require authentication
    app.get("/public1",...);
    app.post("/public2",...);
    
    // Private sections which do require authentication
    app.get("/private1", function(req,res,next){
       if (req.isAuthenticated()){ // Check if user is authenticated
           // do things...
       }else{ // Wow, this guy is not authenticated. Kick him out of here !
           res.redirect("/auth");
       }
    });
    

    Now, if you have multiple private sections, you'll probably find it a bit tidious to do the same thing for each private section. You could define a custom function that will check if the user is authenticated, and allow the request to proceed if he is. Something like

    function isThisGuyAuthenticated(req,res,next){
       if (req.isAuthenticated()){
          return next(); // Ok this guy is clean, please go on !
       }else{
          res.redirect("/auth"); // This guy is shady, please authenticate !
       }
    }
    

    And use it like :

    app.get("/private1",isThisGuyAuthenticated, doCrazySecretStuff); // doCrazySecretStuff will not be called if the user is not authenticated
    app.get("/private2", isThisGuyAuthenticated, getCocaColaRecipe);
    app.get("/private3", isThisGuyAuthenticated, flyToMars);
    app.get("/public", showInfo); // showInfo will be called whether the user is authenticated or not
    

    Now, if your app only has private sections, you could avoid repeating calls to isThisGuyAuthenticated by defining it as middleware (but not by defining passport.authenticate itself as a middleware !);

    // Endpoint that will be hit is the user is redirected to /auth
    // BEWARE it needs to be above the middleware, otherwise you'll end up with an infinite redirection loop
    app.get("/auth", passport.authenticate('facebook-token',function(){...});
    
    // Middleware that will be called on every request
    app.use(isThisGuyAuthenticated);
    
    // You app's endpoints
    app.get("/private1", doCrazySecretStuff); // doCrazySecretStuff will not be called if the user is not authenticated
    app.get("/private2", getCocaColaRecipe);
    app.get("/private3", flyToMars);
    

    Is that clear ?

    EDIT : I mistakenly put the middleware before the "/auth" endpoint. Make sure it's placed after

    0 讨论(0)
提交回复
热议问题