Verifying roles & authentication with Passport.js

和自甴很熟 提交于 2021-02-05 20:11:33

问题


So I'd like to make some routes in an API that will show different data based on the user role, defined in MongoDB. Here's a sampling of what I have right now, it works...

router.get('/test', passport.authenticate('bearer', {session: false}), function (req, res) {
    if (req.user.role == "premium") {
        return res.send('you can see this content');
    }
    else {
        return res.send('you can not see this content');
    }
})

However, the end goal is to present at least something to the user, even if they're not logged in or authenticated with the right kind of role.

router.get('/test', passport.authenticate('bearer', {session: false}), function (req, res) {
    if (req.user.role == "premium") {
        return res.send('this is premium content');
    }
    else {
        // could be hit by another role, or no user at all
        return res.send([some truncated version of the premium content]);
    }
})

Which I would think I'd figure out how to work, but I don't know how to specify the same route which possibly could be hit without any Authorization header in the request.

Is this possible in Passport.js/Express?


回答1:


I would suggest that you use HTTP status codes and an error object, this is a common API convention and it allows your API users to know what's happening and why:

app.get('/premium-resource', function(req, res, next) {
  passport.authenticate('bearer', function(err, user) {
    if (user){
      if (user.role === 'premium'){
        return res.send(200,{userContent:'you are a premium user'});
      }else{
        return res.send(403,{
          'status': 403,
          'code': 1, // custom code that makes sense for your application
          'message': 'You are not a premium user',
          'moreInfo': 'https://myawesomeapi.io/upgrade'
        });
      }
    }else{
      return res.send(401,{
        'status': 401,
        'code': 2, // custom code that makes sense for your application
        'message': 'You are not authenticated.',
        'moreInfo': 'https://myawesomeapi.io/docs'
      });
    }
  })(req, res, next);
});

Disclaimer: I work at Stormpath and we put a lot of thought into API authentication and design, we have a really presentation on the topic:

https://stormpath.com/blog/designing-rest-json-apis/




回答2:


The solution is to limit the content in the view rather than the route.

router.get('/test', authenticationMiddleware, function(req, res){
    var premiumFlag = req.user.role;
    res.send('premiumontent', {role: premiumFlag});
});

premiumContent.jade

p This content is visible to all users

- if role === "premium"
    p this content is only visible to premium users



回答3:


The solution I've found to my answer is to use an adaptation of the Passportjs.org documentation.

In the routes I need to return data, whether a user is logged in or not I can use something like:

// Test to check for authentication
app.get('/login', function(req, res, next) {
  passport.authenticate('bearer', function(err, user, info) {
    if (user)
        // check user's role for premium or not
        if (user.role == "premium")
            return res.send('user is premium')
        else
            return res.send('user is not premium');
    else
        // return items even if no authentication is present, instead of 401 response
            return res.send('not logged in');
  })(req, res, next);
});


来源:https://stackoverflow.com/questions/26895219/verifying-roles-authentication-with-passport-js

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!