伊谢尔伦2017-04-17 13:57:03
This is how I do it:
Add a general rule before all routing rules to filter incoming requests, assuming it is a authenticate() function.
In the authenticate() function, extract the timestamp and token fields in the url query. First check the legality of timestamp, for example, it cannot exceed 5 minutes compared to the current time. Then generate a token for verification based on your token rules, and compare it with token in the URL. If they are consistent, the verification passes.
When encountering any illegal situation, immediately return res.status(400).send({ok: -1, errMsg: "<ERROR MESSAGE>"}) and finally next() release legitimate requests.
PHPz2017-04-17 13:57:03
What does permission management mean here? If it is login verification, you can try passport. This is a token-based plug-in, and it also has a good ecosystem. Basic common verification strategies have ready-made implementations.
If you refer to various roles, users, etc., you can try rbac.
