如何在Node中使用Passport.js模拟另一个用户?
[英]How can I impersonate another user with Passport.js in Node?
问题描述
Using Passport.js in Node, is there a way for me to allow one user to impersonate another? 
在Node中使用Passport.js,有没有办法允许一个用户冒充另一个用户? eg. 例如。 as an Administrator in the application, I want to be able to log in as another user, without knowing their password. 作为应用程序的管理员,我希望能够以另一个用户身份登录,而无需知道他们的密码。
Most simply, I would be satisfied if I could change the serialized user data (user ID) so when deserializeUser is called it will just assume the identity of the alternate user. 最简单的是,如果我可以更改序列化的用户数据(用户ID),我会感到满意,因此当调用deserializeUser时,它将只假设备用用户的身份。 I've tried replacing the value at req._passport.session.user and the value at req.session.passport.user but the net effect is just that my session seems to become invalid and Passport logs me out. 我试着更换的价值req._passport.session.user和值req.session.passport.user但实际效果是只是我的会议似乎变得无效,护照登录我出去。
3 个解决方案
解决方案1
12 已采纳 2015-01-30 00:16:46
Passport provides a req.logIn method in case you want to do the authentication manually. 如果要手动执行身份验证,Passport会提供req.logIn方法。 You can use it to login any user even regardless of authentication. 即使不进行身份验证,您也可以使用它登录任何用户。
Here's how you can use it. 这是你如何使用它。 Have the Admin login normally, who'll have an isAdmin flag set. 让Admin正常登录,谁将设置isAdmin标志。
Then place a middleware before passport.authenticate in your login route. 然后前放置一个中间件passport.authenticate在您登录路由。 This will login the new user based only on their username, if the currently logged in user isAdmin . 如果当前登录的用户是isAdmin ,这将仅根据用户名登录新用户。
app.post('/login',
function forceLogin(req, res, next) {
if (!req.user.isAdmin) return next(); // skip if not admin
User.findOne({
username: req.body.username // < entered username
}, function(err, user) {
// no checking for password
req.logIn(user);
res.redirect('/users/' + user.username);
});
},
passport.authenticate('local'),
function(req, res) {
res.redirect('/users/' + req.user.username);
}
);
解决方案2
2 2017-06-26 11:27:48
I have another way to impersonate, because: 我有另一种冒充方式,因为:
- I didn't want to mess with internals of authentication/passport like session storage / logIn / etc. You must understand them really well and also they are prone to change so I'd say it's not an option for me. 我不想弄乱身份验证/护照的内部,如会话存储/登录/等等。你必须非常了解它们,而且它们也很容易改变,所以我说它不适合我。
- Also, I'd like to still be able to tell if action is made from superuser (impersonated) or normal user (not impersonated). 此外,我还想知道是否由超级用户(模仿)或普通用户(未模拟)进行操作。
What I do is: 我所做的是:
Have a route for user with superadmin role to impersonate, like
/superadmin/impersonate?username=normaluser1which setsreq.user.impersonated.userid = normaluser1.userid为具有superadmin角色的用户设置路由,例如/superadmin/impersonate?username=normaluser1设置req.user.impersonated.userid = normaluser1.useridThen I have a middleware, which checks if user is superadmin and is impersonated:
然后我有一个中间件,它检查用户是否是superadmin并被模仿: if (req.user.isAdmin && req.user.impersonated) { req.user.userid = req.user.impersonated.userid;
if(req.user.isAdmin && req.user.impersonated){req.user.userid = req.user.impersonated.userid; } }
Also, I have found this to be a good article about user impersonation. 另外,我发现这是一篇关于用户模仿的好文章。 Similar to my approach, and good for inspiration for building something similar. 类似于我的方法,并且有助于构建类似的东西。
解决方案3
1 2015-01-27 01:03:25
The answer to your question is basically : no. 你的问题的答案基本上是:不。 The reason is this: the sessions library that is being used 99% of the time is signing the cookies, so if you tamper with the data the web server will reject it. 原因是:99%的时间使用的会话库是对cookie进行签名,因此如果您篡改数据,Web服务器将拒绝它。
The way around this is to write your own passport authentication strategy that obviously doesn't do this, but I'm assuming you're talking about working with the built-in strategies here. 解决这个问题的方法是编写自己的护照身份验证策略,显然不会这样做,但我假设您正在讨论如何使用内置策略。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.