搜尋

首頁  >  問答  >  主體

在受保護的路由中新增多個角色(Node + Express + JWT)

我正在嘗試使用使用者角色保護某些路由(某些路由接受多個角色)。當我在路由處理程序中列出接受的角色時,只有列出的第一個使用者角色才允許存取 - 我需要允許列出的所有角色都具有存取權限。

這是解碼 JWT 令牌的驗證中間件檔案 (auth.js):

import jwt from "jsonwebtoken";

const auth = (req, res, next) => {
  const token = req.header("x-auth-token");
  if (!token)
    return res
      .status(401)
      .send({ message: "Access denied. No token provided!" });

  try {
    const decoded = jwt.verify(token, "SomethingPrivate");
    req.user = decoded;
    next();
  } catch (ex) {
    res.status(400).send({ message: "Invalid Token." });
  }
};

export const superAdmin = (req, res, next) => {
  const token = req.header("x-auth-token");
  if (!auth && !token)
    return res.status(401).send({ message: "Access denied." });

  const decoded = jwt.verify(token, "SomethingPrivate");
  if (auth && decoded.role === "superAdmin") {
    res.status(200);
    next();
  } else {
    res.status(400).send({ message: "Access denied!" });
  }
};

export const admin = (req, res, next) => {
  const token = req.header("x-auth-token");
  if (!auth && !token)
    return res.status(401).send({ message: "Access denied." });

  const decoded = jwt.verify(token, "SomethingPrivate");
  if (auth && decoded.role === "admin") {
    res.status(200);
    next();
  } else {
    res.status(400).send({ message: "Access denied!" });
  }
};

export const teacher = (req, res, next) => {
  const token = req.header("x-auth-token");
  if (!auth || !token)
    return res.status(401).send({ message: "Access denied." });

  const decoded = jwt.verify(token, "SomethingPrivate");
  if (auth && decoded.role === "teacher") {
    res.status(200);
    next();
  } else {
    res.status(400).send({ message: "Access denied!" });
  }
};

export const student = (req, res, next) => {
  const token = req.header("x-auth-token");
  if (!auth || !token)
    return res.status(401).send({ message: "Access denied." });

  const decoded = jwt.verify(token, "SomethingPrivate");
  if (auth && decoded.role === "student") {
    res.status(200);
    next();
  } else {
    res.status(400).send({ message: "Access denied!" });
  }
};

export const parent = (req, res, next) => {
  const token = req.header("x-auth-token");
  if (!auth) return res.status(401).send({ message: "Access denied." });

  const decoded = jwt.verify(token, "SomethingPrivate");
  if (auth && decoded.role === "parent") {
    res.status(200);
    next();
  } else {
    res.status(400).send({ message: "Access denied!" });
  }
};

這是路由器檔案(userRoute.js):

import express from "express";
import {
  superAdmin,
  admin,
  teacher,
  student,
  parent,
} from "../middleware/auth.js";
const router = express.Router();
import {
  view,
  find,
  me,
  create,
  edit,
  update,
  viewUser,
} from "../controllers/userController.js";

// Routes
router.get("/", [superAdmin, admin], view); //The route I am struggling with at the moment//
router.post("/", find);
router.get("/me", me);
router.post("/create", superAdmin, create);
router.get("/edituser/:userID", edit);
router.post("/edituser/:userID", [], update);
router.get("/viewuser/:userID", viewUser);


export { router as user };

最後,登入時簽章時插入 JWT 有效負載的資料並儲存在回應標頭中:

const token = jwt.sign(
              {
                userID: result[0].userID,
                firstName: result[0].firstName,
                lastName: result[0].lastName,
                email: result[0].email,
                role: result[0].role,
              },

userRoute.js 檔案中,我嘗試在該路由的每個接受的角色之間使用管道運算符,但我似乎無法將角色視為布林值。

如有任何幫助,我們將不勝感激! (這是在不久的將來將與 React 前端配對的後端。)

P粉476547076P粉476547076338 天前335

全部回覆(1)我來回復

  • P粉369196603

    P粉3691966032024-02-18 10:42:11

    中間件函數數組總是像按順序指定路由一樣工作。這意味著,如果您在其中一個中間件函數中呼叫 res.send(),則數組中的所有下一個函數都尚未使用。

    我會這樣建議,例如:

    用於家長、學生、管理員存取路由的中間件

    #
    export const parent = (req, res, next) => {
      const token = req.header("x-auth-token");
      if (!auth) return res.status(401).send({ message: "Access denied." });
    
      const decoded = jwt.verify(token, "SomethingPrivate");
      if (auth && ["parent", "student", "admin"].includes(decoded.role)) {
        res.status(200);
      } else {
        res.status(400).send({ message: "Access denied!" });
      }
    };

    僅由 admin 存取的路由中間件:

    export const parent = (req, res, next) => {
      const token = req.header("x-auth-token");
      if (!auth) return res.status(401).send({ message: "Access denied." });
    
      const decoded = jwt.verify(token, "SomethingPrivate");
      if (auth && ["admin"].includes(decoded.role))) {
        res.status(200);
      } else {
        res.status(400).send({ message: "Access denied!" });
      }
    };

    回覆
    0
  • 取消回覆