[英]How can I impersonate another user with Passport.js in Node?
Using Passport.js in Node, is there a way for me to allow one user to impersonate another? 在Node中使用Passport.js,有没有办法允许一个用户冒充另一个用户? eg.
例如。 as an Administrator in the application, I want to be able to log in as another user, without knowing their password.
作为应用程序的管理员,我希望能够以另一个用户身份登录,而无需知道他们的密码。
Most simply, I would be satisfied if I could change the serialized user data (user ID) so when deserializeUser
is called it will just assume the identity of the alternate user. 最简单的是,如果我可以更改序列化的用户数据(用户ID),我会感到满意,因此当调用
deserializeUser
时,它将只假设备用用户的身份。 I've tried replacing the value at req._passport.session.user
and the value at req.session.passport.user
but the net effect is just that my session seems to become invalid and Passport logs me out. 我试着更换的价值
req._passport.session.user
和值req.session.passport.user
但实际效果是只是我的会议似乎变得无效,护照登录我出去。
Passport provides a req.logIn
method in case you want to do the authentication manually. 如果要手动执行身份验证,Passport会提供
req.logIn
方法。 You can use it to login any user even regardless of authentication. 即使不进行身份验证,您也可以使用它登录任何用户。
Here's how you can use it. 这是你如何使用它。 Have the Admin login normally, who'll have an
isAdmin
flag set. 让Admin正常登录,谁将设置
isAdmin
标志。
Then place a middleware before passport.authenticate
in your login route. 然后前放置一个中间件
passport.authenticate
在您登录路由。 This will login the new user based only on their username, if the currently logged in user isAdmin
. 如果当前登录的用户是
isAdmin
,这将仅根据用户名登录新用户。
app.post('/login',
function forceLogin(req, res, next) {
if (!req.user.isAdmin) return next(); // skip if not admin
User.findOne({
username: req.body.username // < entered username
}, function(err, user) {
// no checking for password
req.logIn(user);
res.redirect('/users/' + user.username);
});
},
passport.authenticate('local'),
function(req, res) {
res.redirect('/users/' + req.user.username);
}
);
I have another way to impersonate, because: 我有另一种冒充方式,因为:
What I do is: 我所做的是:
Have a route for user with superadmin role to impersonate, like /superadmin/impersonate?username=normaluser1
which sets req.user.impersonated.userid = normaluser1.userid
为具有superadmin角色的用户设置路由,例如
/superadmin/impersonate?username=normaluser1
设置req.user.impersonated.userid = normaluser1.userid
Then I have a middleware, which checks if user is superadmin and is impersonated: 然后我有一个中间件,它检查用户是否是superadmin并被模仿:
if (req.user.isAdmin && req.user.impersonated) { req.user.userid = req.user.impersonated.userid; if(req.user.isAdmin && req.user.impersonated){req.user.userid = req.user.impersonated.userid; }
}
Also, I have found this to be a good article about user impersonation. 另外,我发现这是一篇关于用户模仿的好文章。 Similar to my approach, and good for inspiration for building something similar.
类似于我的方法,并且有助于构建类似的东西。
The answer to your question is basically : no. 你的问题的答案基本上是:不。 The reason is this: the sessions library that is being used 99% of the time is signing the cookies, so if you tamper with the data the web server will reject it.
原因是:99%的时间使用的会话库是对cookie进行签名,因此如果您篡改数据,Web服务器将拒绝它。
The way around this is to write your own passport authentication strategy that obviously doesn't do this, but I'm assuming you're talking about working with the built-in strategies here. 解决这个问题的方法是编写自己的护照身份验证策略,显然不会这样做,但我假设您正在讨论如何使用内置策略。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.