问题
I am migrating an old sails.js project which was written in 0.10.5 to 0.12.x. Since the original code was written a long time ago and may have some "non-conforming" code I decided to re-build the project by starting a new sails project and slowly migrating the models/controllers/services while keeping only necessary policies and configuration files.
So far I managed to get the project to lift and now I am starting to deal with the authentication. Ideally, I intend to move to use passport with jwt to replace existing express-jwt.
My old config/http.js looks like so:
module.exports.http = {
bodyParser: function() {
//return require('body-parser')({limit: '900mb'});
var opts = { limit:'50mb' };
var fn;
// Default to built-in bodyParser:
fn = require('skipper');
return fn(opts);
},
customMiddleware: function(app) {
var bodyParser = require('body-parser');
var expressJwt = require('../libs/express-jwt');
var experssJwtConfig = require('./jwt.js').jwt;
app.use(function(req, res, next) {
res.setHeader("Access-Control-Allow-Origin", "*");
next();
});
app.use('/api', expressJwt({secret: experssJwtConfig.secret}));
app.use(bodyParser.json());
app.use(bodyParser.urlencoded());
if(process.env.NODE_ENV == 'development') {
// just for local/development - serve static files
}
}
}
If I understand correctly (I am not well versed in the stack) this code overrides the default body parser (using skipper allowing large files - this is specified in bodyParser
), and in addition, changes the middleware used:
Includes a middleware to add
Access-Control-Allow-Origin
.For routes under 'api' it invokes the express-jwt middleware which in this implementation (not sure it's the default behavior) looks for the token and then add the user to the request object (which is then used in most of the controllers).
Adds body parser's (
body-parser
)json
andurlencode
to the middleware chain.
My question here is whether I should keep it more or less the same or should I change it? Are there any obvious anti-patterns or security risks? If I use skipper, do I need the body parser json/urlencode middleware?
Would I be able to achieve comparable flows using more standard passport/jwt code? If so, can I achieve this kind of stack with sails-auth
or should I role my own?
回答1:
Yes, you can remove the custom middleware. Latest pattern is easier to manage. For starters,
Access-Control-Allow-Origin
can be set inconfig/cors.js
You can use
passport-jwt
in a more sailsy way by making use ofsails-auth
module. And splitting the logic intoservices
, usingpolicies
to manage the flow etc. The problem withsails-auth
is, the module in npm has been published over an year ago. It has several bugs. The GitHub repo though has stable version.
I have made a bare minimum auth server in sails, which you can extend for various passport strategies. The server supports local
, bearer
, JWT
strategies out of the box.
Sails Auth Server
来源:https://stackoverflow.com/questions/42229717/migrating-to-sails-js-0-12-middleware-migration