简体繁体 English

passport的REST API

[英]securing a REST api for nodejs/express/passport

原文 2014-01-26 03:49:19 6 1 node.js/ rest/ express/ passport.js

So we have our application in nodejs ready, implemented with passport as authentication framework on top of express/nodejs. 因此，我们已经准备好在nodejs中使用我们的应用程序，并通过护照作为Express / nodejs之上的身份验证框架来实现。 The routes had been designed as REST API. 路由已被设计为REST API。

Now, there's a request to make the routes available as REST API to non-browser clients. 现在，有一个请求要求将路由作为REST API提供给非浏览器客户端。

How would I go about implementing this when our app already works well with passport for authentication? 当我们的应用程序已经可以很好地与护照进行身份验证时，我将如何实施呢？ Can passport be used for that? 可以使用护照吗？ Or another framework, like Oauth? 还是其他框架，例如Oauth？ Would they be compatible or would I need to dismantle the passport code to implement with Oauth? 它们是否兼容，或者我需要拆除护照代码才能通过Oauth实施？

Coulnd't find relevant information yet. 尚未找到相关信息。

1 个解决方案

I am not familiar with passport.js but most of the browser based server applications use sessions for user authentication. 我不熟悉passport.js，但是大多数基于浏览器的服务器应用程序都使用会话进行用户身份验证。 This is usually not the case for non browser based REST clients which use tokens to authenticate requests. 对于非基于浏览器的REST客户端（使用令牌来验证请求），通常不是这种情况。

An Oauth server is implemented to issue tokens to different clients and these tokens are sent with each request. Oauth服务器被实现为向不同的客户端发行令牌，并且这些令牌与每个请求一起发送。 SSL is used to protect these tokens. SSL用于保护这些令牌。 In your case, you can add an Oauth middleware for REST clients while having the same end points as for your browser based application. 在您的情况下，您可以为REST客户端添加Oauth中间件，同时具有与基于浏览器的应用程序相同的端点。