我正在嘗試使用使用者角色保護某些路由(某些路由接受多個角色)。當我在路由處理程序中列出接受的角色時,只有列出的第一個使用者角色才允許存取 - 我需要允許列出的所有角色都具有存取權限。
這是解碼 JWT 令牌的驗證中間件檔案 (auth.js
):
import jwt from "jsonwebtoken"; const auth = (req, res, next) => { const token = req.header("x-auth-token"); if (!token) return res .status(401) .send({ message: "Access denied. No token provided!" }); try { const decoded = jwt.verify(token, "SomethingPrivate"); req.user = decoded; next(); } catch (ex) { res.status(400).send({ message: "Invalid Token." }); } }; export const superAdmin = (req, res, next) => { const token = req.header("x-auth-token"); if (!auth && !token) return res.status(401).send({ message: "Access denied." }); const decoded = jwt.verify(token, "SomethingPrivate"); if (auth && decoded.role === "superAdmin") { res.status(200); next(); } else { res.status(400).send({ message: "Access denied!" }); } }; export const admin = (req, res, next) => { const token = req.header("x-auth-token"); if (!auth && !token) return res.status(401).send({ message: "Access denied." }); const decoded = jwt.verify(token, "SomethingPrivate"); if (auth && decoded.role === "admin") { res.status(200); next(); } else { res.status(400).send({ message: "Access denied!" }); } }; export const teacher = (req, res, next) => { const token = req.header("x-auth-token"); if (!auth || !token) return res.status(401).send({ message: "Access denied." }); const decoded = jwt.verify(token, "SomethingPrivate"); if (auth && decoded.role === "teacher") { res.status(200); next(); } else { res.status(400).send({ message: "Access denied!" }); } }; export const student = (req, res, next) => { const token = req.header("x-auth-token"); if (!auth || !token) return res.status(401).send({ message: "Access denied." }); const decoded = jwt.verify(token, "SomethingPrivate"); if (auth && decoded.role === "student") { res.status(200); next(); } else { res.status(400).send({ message: "Access denied!" }); } }; export const parent = (req, res, next) => { const token = req.header("x-auth-token"); if (!auth) return res.status(401).send({ message: "Access denied." }); const decoded = jwt.verify(token, "SomethingPrivate"); if (auth && decoded.role === "parent") { res.status(200); next(); } else { res.status(400).send({ message: "Access denied!" }); } };
這是路由器檔案(userRoute.js
):
import express from "express"; import { superAdmin, admin, teacher, student, parent, } from "../middleware/auth.js"; const router = express.Router(); import { view, find, me, create, edit, update, viewUser, } from "../controllers/userController.js"; // Routes router.get("/", [superAdmin, admin], view); //The route I am struggling with at the moment// router.post("/", find); router.get("/me", me); router.post("/create", superAdmin, create); router.get("/edituser/:userID", edit); router.post("/edituser/:userID", [], update); router.get("/viewuser/:userID", viewUser); export { router as user };
最後,登入時簽章時插入 JWT 有效負載的資料並儲存在回應標頭中:
const token = jwt.sign( { userID: result[0].userID, firstName: result[0].firstName, lastName: result[0].lastName, email: result[0].email, role: result[0].role, },
在 userRoute.js
檔案中,我嘗試在該路由的每個接受的角色之間使用管道運算符,但我似乎無法將角色視為布林值。
如有任何幫助,我們將不勝感激! (這是在不久的將來將與 React 前端配對的後端。)
P粉3691966032024-02-18 10:42:11
中間件函數數組總是像按順序指定路由一樣工作。這意味著,如果您在其中一個中間件函數中呼叫 res.send()
,則數組中的所有下一個函數都尚未使用。
我會這樣建議,例如:
用於家長、學生、管理員存取路由的中間件
export const parent = (req, res, next) => { const token = req.header("x-auth-token"); if (!auth) return res.status(401).send({ message: "Access denied." }); const decoded = jwt.verify(token, "SomethingPrivate"); if (auth && ["parent", "student", "admin"].includes(decoded.role)) { res.status(200); } else { res.status(400).send({ message: "Access denied!" }); } };
僅由 admin
存取的路由中間件:
export const parent = (req, res, next) => { const token = req.header("x-auth-token"); if (!auth) return res.status(401).send({ message: "Access denied." }); const decoded = jwt.verify(token, "SomethingPrivate"); if (auth && ["admin"].includes(decoded.role))) { res.status(200); } else { res.status(400).send({ message: "Access denied!" }); } };