Prevent Expressjs from creating a session when requests contain an authorization header?

前端 未结 4 862
野的像风
野的像风 2021-02-06 04:26

I have an API that can be called either using a browser where requests are transactional and have a session OR directly, eg. using curl, where requests are atomic. Browser reque

相关标签:
4条回答
  • 2021-02-06 05:09

    Try this:

    var sessionMiddleware = exp.session( session_options );
    
    app.use(function(req, res, next) {
      if (req.headers.authorization) {
        return next();
      }
      return sessionMiddleware(req, res, next);
    });
    
    0 讨论(0)
  • 2021-02-06 05:09

    An alternative approach to reducing the amount of sessions stored in your session storage is to set a default maxAge to something low. Then, when you actually need sessions stored longer, like after a user logins, you can set req.session.cookie.expires = null;. Also don't forget to set the session expiration to something low when the user logs out.

    Here's an example:

    // set default to something low
    app.use(session({
      resave: true,
      saveUninitialized: true,
      cookie: {
        maxAge: 5 * 60 * 1000 // 5 minutes
      },
      secret: secrets.sessionSecret,
      store: new MongoStore({
        url: yourUrl,
        auto_reconnect: true
      })
    }));
    
    // on successful login, 
    // set expiration to null or something longer than default
    var time = 14 * 24 * 3600000; //2 weeks
    req.session.cookie.maxAge = time;
    req.session.cookie.expires = new Date(Date.now() + time);
    req.session.touch();
    
    // on logout, reset expiration to something low  
    var time = 5 * 60 * 1000; // 5 minutes
    req.session.cookie.maxAge = time; //2 weeks
    req.session.cookie.expires = new Date(Date.now() + time);
    req.session.touch();
    

    This is particularly useful when remote monitoring your app because if the monitoring is frequent enough, the sessions will fill up fast.

    0 讨论(0)
  • 2021-02-06 05:10

    Looks like you need to write your own session middleware. Here's an example. If you can create a separate subdomain, say, www.example.com for browser sessions and app.example.com for accessing it directly, then you should be able to use the linked method almost exactly, and just don't start the session for app.example.com requests. That may be the most direct method whereby the call indicates the method it intends to authenticate by, and any diversion from that is an error.

    Otherwise, you'll have to detect the authentication token in the middleware and not start the session when you find it.

    0 讨论(0)
  • 2021-02-06 05:19

    You can always just catch the response headers event and remove the 'set-cookie' header:

    app.use(function(req, res, next) {
      res.on('header', function () {
        if (req.headers.authorization) {
          delete res._headers['set-cookie'];
        }
      });
      next();
    });
    

    You can technically put this anywhere in your middleware chain.

    0 讨论(0)
提交回复
热议问题