使用范围保护API(oauth2orize,passport,express,Nodejs)
[英]Protecting an API with Scopes (oauth2orize, passport, express, Nodejs)
问题描述
I'm trying to create an API with node/express, and secure it with Passport and oauth2orize. 
我正在尝试使用node / express创建一个API,并使用Passport和oauth2orize保护它。 I've got the API working, I've got the oauth2 stuff working, but I can't seem to figure out how to implement securing API methods with scopes. 我已经使用了API,我已经使用了oauth2,但是我似乎无法弄清楚如何使用范围来实现安全的API方法。
The oauth2orize token hander-outer: oauth2orize令牌处理者:
server.exchange(oauth2orize.exchange.password(function (client, username, password, scope, done) {
scope = scope || ['unauthorized'];
db.collection('oauth_users').findOne({username: username}, function (err, user) {
if (err) return done(err);
if (!user) return done(null, false);
for (i in scope)
if(user.scope.indexOf(scope[i]) < 0) return done(null, false);
bcrypt.compare(password, user.password, function (err, res) {
if (!res) return done(null, false);
var token = utils.uid(256)
var refreshToken = utils.uid(256)
var tokenHash = crypto.createHash('sha1').update(token).digest('hex')
var refreshTokenHash = crypto.createHash('sha1').update(refreshToken).digest('hex')
var expirationDate = new Date(new Date().getTime() + (3600 * 1000))
db.collection('oauth_access_tokens').save({token: tokenHash, expirationDate: expirationDate, clientId: client.clientId, userId: username, scope: scope}, function (err) {
if (err) return done(err)
db.collection('oauth_refresh_tokens').save({refreshToken: refreshTokenHash, clientId: client.clientId, userId: username}, function (err) {
if (err) return done(err)
done(null, token, refreshToken, {expires_in: expirationDate})
})
})
})
}) }))
The passport bearer token checker: 护照不记名令牌检查器:
passport.use("accessToken", new BearerStrategy(
{passReqToCallback: true},
function (req, accessToken, done) {
console.dir(req.params);
var accessTokenHash = crypto.createHash('sha1').update(accessToken).digest('hex')
db.collection('oauth_access_tokens').findOne({token: accessTokenHash}, function (err, token) {
if (err) return done(err);
if (!token) return done(null, false);
if (new Date() > token.expirationDate) {
db.collection('oauth_access_tokens').remove({token: accessTokenHash}, function (err) { done(err) });
} else {
db.collection('oauth_users').findOne({username: token.userId}, function (err, user) {
if (err) return done(err);
if (!user) return done(null, false);
// no use of scopes for no
var info = { scope: '*' }
done(null, user, info);
})
}
})
}))
The API security: API安全性:
router.get('/restricted', passport.authenticate('accessToken', { scope: "unauthorized", session: false }), function (req, res) {
res.send("Restricted Function");})
I can find no example of accessing the "scope" option passed in passport.authenticate to passport.use. 我无法找到访问通过password.authenticate传递给Passport.use的“ scope”选项的示例。 I was thinking it was in the req object, but I can't find it in there. 我以为它在req对象中,但是我在那儿找不到它。 Any help? 有什么帮助吗?
1 个解决方案
解决方案1
1 2015-07-26 19:45:55
A bit late. 有点晚了。 But thought this might help. 但是认为这可能会有所帮助。 The info object that you pass as the third parameter can be used from the middleware as req.authInfo . 您可以从中间件中将您作为第三个参数传递的信息对象用作req.authInfo 。 If you have scope attached with the user object or if you have declared it at passport.authenticate initialize level, you can pass it through this parameter and make use of in the middleware. 如果您的用户对象附带有作用域 ,或者在护照.authenticate初始化级别上声明了作用域 ,则可以通过此参数将其传递并在中间件中使用。 Please have a look at this link Usage of scopes 请查看此链接范围的用法
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.