node+token for user verification-JS Tutorial-php.cn

Home

Web Front-end

JS Tutorial

node+token for user verification

php中世界最好的语言

Jun 09, 2018 am 10:37 AM

nodenodejstokenaccomplishAuthentication

This time I will bring you node token for user verification. What are the precautions for node token for user verification? The following is a practical case, let’s take a look.

Recently studied token-based authentication and integrated this mechanism into personal projects. Nowadays, the authentication method of many websites has shifted from the traditional seesion cookie to token verification. Compared with traditional verification methods, tokens do have better scalability and security.

Traditional session cookie authentication

Because HTTP is stateless, it does not record the user's identity. After the user sends the account and password to the server, the background passes the verification, but the status is not recorded, so the next user's request still needs to verify the identity. In order to solve this problem, it is necessary to generate a record containing the user's identity on the server side, that is, session, and then send this record to the user and store it locally in the user's local area, that is, cookie. Next, the user's request will bring this cookie. If the client's cookie and the server's session can match, it means that the user's identity authentication has passed.

Token identity verification

The process is roughly as follows:

When making the first request, the user sends the account number and password
If the background verification passes, a time-sensitive token will be generated, and then this token will be sent to the user.
After the user obtains the token, Store this token locally, usually in localstorage or cookie
. Each subsequent request will add this token to the request header, and all interfaces that need to verify identity will be checked. Verify the token. If the data parsed by the token contains user identity information, the identity verification is passed.

Compared with traditional verification methods, token verification has the following advantages:

In token-based authentication, the token is transmitted through the request header. Instead of storing authentication information in session or cookie. This means stateless. You can send requests to the server from any terminal that can send HTTP requests.
Can avoid CSRF attacks
When the session is read, written or deleted in the application, a file operation will occur in temp folder of the operating system, at least the first time. Assume there are multiple servers and the session is created on the first service. When you send the request again and the request lands on another server, the session information does not exist and you get an "unauthenticated" response. I know, you can solve this problem with a sticky session. However, in token-based authentication, this problem is naturally solved. There is no sticky session problem because the request token is intercepted on every request sent to the server.

The following is an introduction to using node jwt (jwt tutorial) to build a simple token identity verification

Example

When a user When logging in for the first time, submit the account and password to the server. If the server passes the verification, the corresponding token will be generated. The code is as follows:

const fs = require('fs');
const path = require('path');
const jwt = require('jsonwebtoken');
//生成token的方法
function generateToken(data){
  let created = Math.floor(Date.now() / 1000);
  let cert = fs.readFileSync(path.join(__dirname, '../config/pri.pem'));//私钥
  let token = jwt.sign({
    data,
    exp: created + 3600 * 24
  }, cert, {algorithm: 'RS256'});
  return token;
}
//登录接口
router.post('/oa/login', async (ctx, next) => {
  let data = ctx.request.body；
  let {name, password} = data;
  let sql = 'SELECT uid FROM t_user WHERE name=? and password=? and is_delete=0', value = [name, md5(password)];
  await db.query(sql, value).then(res => {
    if (res && res.length > 0) {
      let val = res[0];
      let uid = val['uid'];
      let token = generateToken({uid});
      ctx.body = {
        ...Tips[0], data: {token}
      }
    } else {
      ctx.body = Tips[1006];
    }
  }).catch(e => {
    ctx.body = Tips[1002];
  });
});

The user will store the token obtained locally after passing the verification:

store.set('loginedtoken',token);//store为插件

After the client requests an interface that requires identity verification, the token will be placed in the request header and passed to the server:

service.interceptors.request.use(config => {
  let params = config.params || {};
  let loginedtoken = store.get('loginedtoken');
  let time = Date.now();
  let {headers} = config;
  headers = {...headers,loginedtoken};
  params = {...params,_:time};
  config = {...config,params,headers};
  return config;
}, error => {
  Promise.reject(error);
})

The server intercepts the token and verifies the legitimacy of all interfaces that require login. .

function verifyToken(token){
  let cert = fs.readFileSync(path.join(__dirname, '../config/pub.pem'));//公钥
  try{
    let result = jwt.verify(token, cert, {algorithms: ['RS256']}) || {};
    let {exp = 0} = result,current = Math.floor(Date.now()/1000);
    if(current  {
  let {url = ''} = ctx;
  if(url.indexOf('/user/') > -1){//需要校验登录态
    let header = ctx.request.header;
    let {loginedtoken} = header;
    if (loginedtoken) {
      let result = verifyToken(loginedtoken);
      let {uid} = result;
      if(uid){
        ctx.state = {uid};
        await next();
      }else{
        return ctx.body = Tips[1005];
      }
    } else {
      return ctx.body = Tips[1005];
    }
  }else{
    await next();
  }
});

The public key and private key used in this example can be generated by yourself. The operation is as follows:

Open the command line tool, enter openssl, and open openssl;
Generate private key: genrsa -out rsa_private_key.pem 2048
Generate public key: rsa -in rsa_private_key.pem -pubout -out rsa_public_key.pem

I believe you have mastered the method after reading the case in this article. For more exciting information, please pay attention to other related articles on the php Chinese website!

Recommended reading:

Using react, redux, react-redux

Detailed explanation of the use of select component case

The above is the detailed content of node+token for user verification. For more information, please follow other related articles on the PHP Chinese website!

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Node.js Streams with TypeScriptApr 30, 2025 am 08:22 AM

Node.js excels at efficient I/O, largely thanks to streams. Streams process data incrementally, avoiding memory overload—ideal for large files, network tasks, and real-time applications. Combining streams with TypeScript's type safety creates a powe

Python vs. JavaScript: Performance and Efficiency ConsiderationsApr 30, 2025 am 12:08 AM

The differences in performance and efficiency between Python and JavaScript are mainly reflected in: 1) As an interpreted language, Python runs slowly but has high development efficiency and is suitable for rapid prototype development; 2) JavaScript is limited to single thread in the browser, but multi-threading and asynchronous I/O can be used to improve performance in Node.js, and both have advantages in actual projects.

The Origins of JavaScript: Exploring Its Implementation LanguageApr 29, 2025 am 12:51 AM

JavaScript originated in 1995 and was created by Brandon Ike, and realized the language into C. 1.C language provides high performance and system-level programming capabilities for JavaScript. 2. JavaScript's memory management and performance optimization rely on C language. 3. The cross-platform feature of C language helps JavaScript run efficiently on different operating systems.

Behind the Scenes: What Language Powers JavaScript?Apr 28, 2025 am 12:01 AM

JavaScript runs in browsers and Node.js environments and relies on the JavaScript engine to parse and execute code. 1) Generate abstract syntax tree (AST) in the parsing stage; 2) convert AST into bytecode or machine code in the compilation stage; 3) execute the compiled code in the execution stage.

The Future of Python and JavaScript: Trends and PredictionsApr 27, 2025 am 12:21 AM

The future trends of Python and JavaScript include: 1. Python will consolidate its position in the fields of scientific computing and AI, 2. JavaScript will promote the development of web technology, 3. Cross-platform development will become a hot topic, and 4. Performance optimization will be the focus. Both will continue to expand application scenarios in their respective fields and make more breakthroughs in performance.

Python vs. JavaScript: Development Environments and ToolsApr 26, 2025 am 12:09 AM

Both Python and JavaScript's choices in development environments are important. 1) Python's development environment includes PyCharm, JupyterNotebook and Anaconda, which are suitable for data science and rapid prototyping. 2) The development environment of JavaScript includes Node.js, VSCode and Webpack, which are suitable for front-end and back-end development. Choosing the right tools according to project needs can improve development efficiency and project success rate.

Is JavaScript Written in C? Examining the EvidenceApr 25, 2025 am 12:15 AM

Yes, the engine core of JavaScript is written in C. 1) The C language provides efficient performance and underlying control, which is suitable for the development of JavaScript engine. 2) Taking the V8 engine as an example, its core is written in C, combining the efficiency and object-oriented characteristics of C. 3) The working principle of the JavaScript engine includes parsing, compiling and execution, and the C language plays a key role in these processes.

JavaScript's Role: Making the Web Interactive and DynamicApr 24, 2025 am 12:12 AM

JavaScript is at the heart of modern websites because it enhances the interactivity and dynamicity of web pages. 1) It allows to change content without refreshing the page, 2) manipulate web pages through DOMAPI, 3) support complex interactive effects such as animation and drag-and-drop, 4) optimize performance and best practices to improve user experience.

See all articles