我正在尝试使用用户角色保护某些路由(某些路由接受多个角色)。当我在路由处理程序中列出接受的角色时,只有列出的第一个用户角色才允许访问 - 我需要允许列出的所有角色都具有访问权限。
这是解码 JWT 令牌的身份验证中间件文件 (auth.js
):
import jwt from "jsonwebtoken"; const auth = (req, res, next) => { const token = req.header("x-auth-token"); if (!token) return res .status(401) .send({ message: "Access denied. No token provided!" }); try { const decoded = jwt.verify(token, "SomethingPrivate"); req.user = decoded; next(); } catch (ex) { res.status(400).send({ message: "Invalid Token." }); } }; export const superAdmin = (req, res, next) => { const token = req.header("x-auth-token"); if (!auth && !token) return res.status(401).send({ message: "Access denied." }); const decoded = jwt.verify(token, "SomethingPrivate"); if (auth && decoded.role === "superAdmin") { res.status(200); next(); } else { res.status(400).send({ message: "Access denied!" }); } }; export const admin = (req, res, next) => { const token = req.header("x-auth-token"); if (!auth && !token) return res.status(401).send({ message: "Access denied." }); const decoded = jwt.verify(token, "SomethingPrivate"); if (auth && decoded.role === "admin") { res.status(200); next(); } else { res.status(400).send({ message: "Access denied!" }); } }; export const teacher = (req, res, next) => { const token = req.header("x-auth-token"); if (!auth || !token) return res.status(401).send({ message: "Access denied." }); const decoded = jwt.verify(token, "SomethingPrivate"); if (auth && decoded.role === "teacher") { res.status(200); next(); } else { res.status(400).send({ message: "Access denied!" }); } }; export const student = (req, res, next) => { const token = req.header("x-auth-token"); if (!auth || !token) return res.status(401).send({ message: "Access denied." }); const decoded = jwt.verify(token, "SomethingPrivate"); if (auth && decoded.role === "student") { res.status(200); next(); } else { res.status(400).send({ message: "Access denied!" }); } }; export const parent = (req, res, next) => { const token = req.header("x-auth-token"); if (!auth) return res.status(401).send({ message: "Access denied." }); const decoded = jwt.verify(token, "SomethingPrivate"); if (auth && decoded.role === "parent") { res.status(200); next(); } else { res.status(400).send({ message: "Access denied!" }); } };
这是路由器文件(userRoute.js
):
import express from "express"; import { superAdmin, admin, teacher, student, parent, } from "../middleware/auth.js"; const router = express.Router(); import { view, find, me, create, edit, update, viewUser, } from "../controllers/userController.js"; // Routes router.get("/", [superAdmin, admin], view); //The route I am struggling with at the moment// router.post("/", find); router.get("/me", me); router.post("/create", superAdmin, create); router.get("/edituser/:userID", edit); router.post("/edituser/:userID", [], update); router.get("/viewuser/:userID", viewUser); export { router as user };
最后,登录时签名时插入 JWT 有效负载的数据并存储在响应标头中:
const token = jwt.sign( { userID: result[0].userID, firstName: result[0].firstName, lastName: result[0].lastName, email: result[0].email, role: result[0].role, },
在 userRoute.js
文件中,我尝试在该路由的每个接受的角色之间使用管道运算符,但我似乎无法将角色视为布尔值。
如有任何帮助,我们将不胜感激! (这是在不久的将来将与 React 前端配对的后端。)
P粉3691966032024-02-18 10:42:11
中间件函数数组始终像按顺序指定路由一样工作。这意味着,如果您在其中一个中间件函数中调用 res.send()
,则数组中的所有下一个函数都尚未使用。
我会这样建议,例如:
用于家长、学生、管理员访问路由的中间件
export const parent = (req, res, next) => { const token = req.header("x-auth-token"); if (!auth) return res.status(401).send({ message: "Access denied." }); const decoded = jwt.verify(token, "SomethingPrivate"); if (auth && ["parent", "student", "admin"].includes(decoded.role)) { res.status(200); } else { res.status(400).send({ message: "Access denied!" }); } };
仅由 admin
访问的路由中间件:
export const parent = (req, res, next) => { const token = req.header("x-auth-token"); if (!auth) return res.status(401).send({ message: "Access denied." }); const decoded = jwt.verify(token, "SomethingPrivate"); if (auth && ["admin"].includes(decoded.role))) { res.status(200); } else { res.status(400).send({ message: "Access denied!" }); } };