PassportJS身份验证和mongodb数据库收集最佳实践?
[英]PassportJS authentication and mongodb database collection best practices?
问题描述
I am working in a project and actually the first time using nodejs, express and mongodb. 
我在一个项目中工作,实际上是第一次使用nodejs,express和mongodb。 For the authentication i am using passport.js which look pretty flexible and easy to integrate it. 对于身份验证,我使用的是password.js,它看起来非常灵活并且易于集成。
I really like the idea of Serializing and Deserializing but my concern is about the user object which is always ON and can be used on every request. 我真的很喜欢序列化和反序列化的想法,但是我担心的是始终处于ON状态且可用于每个请求的用户对象。
My project involve subscriptions, user profile and maybe a small ticked system. 我的项目涉及订阅,用户个人资料,以及一个小的打勾系统。 So my user schema it contains user credentials, user info like address, phone, email and also information about the subscription. 因此,我的用户架构包含用户凭据,用户信息(例如地址,电话,电子邮件)以及有关订阅的信息。 Some of this information is embedded documents with in same schema. 其中一些信息是具有相同架构的嵌入式文档。 It seems weird that all this info is always ready even i do not needed, even the bcrypt password is always on the request call. 似乎很奇怪,即使我不需要这些信息总是准备就绪,甚至bcrypt密码始终在请求调用中。
My question is, do you think is best practice to separate the user credentials from the user object and play with relationships soi can call the user info when i need it with normal controller model way? 我的问题是,您认为最佳实践是将用户凭证与用户对象分开并进行关联处理,以便在我需要使用常规控制器模型方式进行调用时可以调用用户信息吗?
Thanks in advance 提前致谢
2 个解决方案
解决方案1
0 2015-07-13 02:18:30
if you are referring to sessions you should really only be sending a small piece of data with the request such as a user id. 如果您指的是会话,那么您实际上应该只发送带有请求的一小部分数据,例如用户ID。 The entire user document should not be going across with every request. 整个用户文档不应遍历每个请求。
解决方案2
0 2015-07-15 17:17:24
It's common practice to separate user credentials from the rest of the user data, because the credentials need to be stored in a very secure manner - so much so that it dictates different infrastructure. 通常的做法是将用户凭据与其余用户数据分开,因为凭据需要以非常安全的方式存储-如此之多,以至于它决定了不同的基础架构。
I work at Stormpath and we provide this as a service. 我在Stormpath工作,我们提供这项服务。 We store the password for you, with very high levels of encryption. 我们为您存储密码,并且加密级别很高。 We have a great integration for Express, you check it out here: 我们具有Express的强大集成,您可以在此处查看:
https://github.com/stormpath/stormpath-express https://github.com/stormpath/stormpath-express
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.