Google+登录-该页面仅适用于已登录用户
[英]Google+ Sign-In - Page accessible for logged in users only
问题描述
I decided to use social media benefits on my page and currently I'm implementing Google+ Sign-In. 
我决定在页面上使用社交媒体权益,目前正在实施Google+登录。
One of the pages on my website should be accessible for logged in users only (adding stuff to the page). 我的网站上的页面之一应仅可用于登录用户访问(向页面添加内容)。 I am logging user to website via JavaScript. 我正在通过JavaScript将用户登录到网站。
I'm aware that javascript is executed on client-side but I am curious is it possible to restrict access to the certain page using only javascript. 我知道javascript是在客户端执行的,但我很好奇是否有可能仅使用javascript限制对特定页面的访问。
2 个解决方案
解决方案1
1 2014-08-20 18:44:26
Here is one way to do this, with comments throughout: 这是执行此操作的一种方法,并且在整个注释中都包含以下内容:
var authenticate = function(req, success, failure) {
// Use the Google strategy with passport.js, but with a custom callback.
// passport.authenticate returns Connect middleware that we will use below.
//
// For reference: http://passportjs.org/guide/authenticate/
return passport.authenticate('google',
// This is the 'custom callback' part
function (err, user, info) {
if (err) {
failure(err);
}
else if (!user) {
failure("Invalid login data");
}
else {
// Here, you can do what you want to control
// access. For example, you asked to deny users
// with a specific email address:
if (user.emails[0].value === "no@emails.com") {
failure("User not allowed");
}
else {
// req.login is added by the passport.initialize()
// middleware to manage login state. We need
// to call it directly, as we're overriding
// the default passport behavior.
req.login(user, function(err) {
if (err) {
failure(err);
}
success();
});
}
}
}
);
};
One idea is to wrap the above code in some more middleware, to make it easier to read:
// This defines what we send back to clients that want to authenticate
// with the system.
var authMiddleware = function(req, res, next) {
var success = function() {
res.send(200, "Login successul");
};
var failure = function(error) {
console.log(error);
res.send(401, "Unauthorized");
};
var middleware = authenticate(req, success, failure);
middleware(req, res, next);
};
// GET /auth/google/return
// Use custom middleware to handle the return from Google.
// The first /auth/google call can remain the same.
app.get('/auth/google/return', authMiddleware);
Credits : https://stackoverflow.com/a/13734798/1670308 积分: https : //stackoverflow.com/a/13734798/1670308
解决方案2
1 已采纳 2014-08-21 06:47:47
You cannot perform reliable access control using only client-side javascript. 您不能仅使用客户端javascript执行可靠的访问控制。
This is because since the javascript is executed on the user's browser, the user will be able to bypass any access control rule you've set there. 这是因为由于javascript是在用户的浏览器上执行的,所以用户将能够绕过您在此处设置的所有访问控制规则。
You must perform your access control on server-side, in your case in Python code. 您必须在服务器端执行访问控制,以Python代码为例。
Generally, people also perform some kind of access control check on the client side, not to prevent access, but for example to hide/disable buttons that the user cannot use. 通常,人们还在客户端执行某种访问控制检查,不是为了阻止访问,而是例如隐藏/禁用用户无法使用的按钮。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.