搜索

首页  >  问答  >  正文

向受保护的路由添加多个角色(Node + Express + JWT)

我正在尝试使用用户角色保护某些路由(某些路由接受多个角色)。当我在路由处理程序中列出接受的角色时,只有列出的第一个用户角色才允许访问 - 我需要允许列出的所有角色都具有访问权限。

这是解码 JWT 令牌的身份验证中间件文件 (auth.js):

import jwt from "jsonwebtoken";

const auth = (req, res, next) => {
  const token = req.header("x-auth-token");
  if (!token)
    return res
      .status(401)
      .send({ message: "Access denied. No token provided!" });

  try {
    const decoded = jwt.verify(token, "SomethingPrivate");
    req.user = decoded;
    next();
  } catch (ex) {
    res.status(400).send({ message: "Invalid Token." });
  }
};

export const superAdmin = (req, res, next) => {
  const token = req.header("x-auth-token");
  if (!auth && !token)
    return res.status(401).send({ message: "Access denied." });

  const decoded = jwt.verify(token, "SomethingPrivate");
  if (auth && decoded.role === "superAdmin") {
    res.status(200);
    next();
  } else {
    res.status(400).send({ message: "Access denied!" });
  }
};

export const admin = (req, res, next) => {
  const token = req.header("x-auth-token");
  if (!auth && !token)
    return res.status(401).send({ message: "Access denied." });

  const decoded = jwt.verify(token, "SomethingPrivate");
  if (auth && decoded.role === "admin") {
    res.status(200);
    next();
  } else {
    res.status(400).send({ message: "Access denied!" });
  }
};

export const teacher = (req, res, next) => {
  const token = req.header("x-auth-token");
  if (!auth || !token)
    return res.status(401).send({ message: "Access denied." });

  const decoded = jwt.verify(token, "SomethingPrivate");
  if (auth && decoded.role === "teacher") {
    res.status(200);
    next();
  } else {
    res.status(400).send({ message: "Access denied!" });
  }
};

export const student = (req, res, next) => {
  const token = req.header("x-auth-token");
  if (!auth || !token)
    return res.status(401).send({ message: "Access denied." });

  const decoded = jwt.verify(token, "SomethingPrivate");
  if (auth && decoded.role === "student") {
    res.status(200);
    next();
  } else {
    res.status(400).send({ message: "Access denied!" });
  }
};

export const parent = (req, res, next) => {
  const token = req.header("x-auth-token");
  if (!auth) return res.status(401).send({ message: "Access denied." });

  const decoded = jwt.verify(token, "SomethingPrivate");
  if (auth && decoded.role === "parent") {
    res.status(200);
    next();
  } else {
    res.status(400).send({ message: "Access denied!" });
  }
};

这是路由器文件(userRoute.js):

import express from "express";
import {
  superAdmin,
  admin,
  teacher,
  student,
  parent,
} from "../middleware/auth.js";
const router = express.Router();
import {
  view,
  find,
  me,
  create,
  edit,
  update,
  viewUser,
} from "../controllers/userController.js";

// Routes
router.get("/", [superAdmin, admin], view); //The route I am struggling with at the moment//
router.post("/", find);
router.get("/me", me);
router.post("/create", superAdmin, create);
router.get("/edituser/:userID", edit);
router.post("/edituser/:userID", [], update);
router.get("/viewuser/:userID", viewUser);


export { router as user };

最后,登录时签名时插入 JWT 有效负载的数据并存储在响应标头中:

const token = jwt.sign(
              {
                userID: result[0].userID,
                firstName: result[0].firstName,
                lastName: result[0].lastName,
                email: result[0].email,
                role: result[0].role,
              },

userRoute.js 文件中,我尝试在该路由的每个接受的角色之间使用管道运算符,但我似乎无法将角色视为布尔值。

如有任何帮助,我们将不胜感激! (这是在不久的将来将与 React 前端配对的后端。)

P粉476547076P粉476547076323 天前320

全部回复(1)我来回复

  • P粉369196603

    P粉3691966032024-02-18 10:42:11

    中间件函数数组始终像按顺序指定路由一样工作。这意味着,如果您在其中一个中间件函数中调用 res.send(),则数组中的所有下一个函数都尚未使用。

    我会这样建议,例如:

    用于家长、学生、管理员访问路由的中间件

    export const parent = (req, res, next) => {
      const token = req.header("x-auth-token");
      if (!auth) return res.status(401).send({ message: "Access denied." });
    
      const decoded = jwt.verify(token, "SomethingPrivate");
      if (auth && ["parent", "student", "admin"].includes(decoded.role)) {
        res.status(200);
      } else {
        res.status(400).send({ message: "Access denied!" });
      }
    };

    仅由 admin 访问的路由中间件:

    export const parent = (req, res, next) => {
      const token = req.header("x-auth-token");
      if (!auth) return res.status(401).send({ message: "Access denied." });
    
      const decoded = jwt.verify(token, "SomethingPrivate");
      if (auth && ["admin"].includes(decoded.role))) {
        res.status(200);
      } else {
        res.status(400).send({ message: "Access denied!" });
      }
    };

    回复
    0
  • 取消回复