nodeJS，angularJS应用程序中的页面请求上的服务器身份验证

Question

I am using passport.js for authentication. My requirement is that, anyone should not be able to access a particular page (say, '/restricted'), if one is not logged in.

Right now, in my application, anyone can access "localhost:3000/#/restricted" url directly.

I am able to stop this and allow only logged in users to access the page by using Rorschach120 's solution in Redirect on all routes to login if not authenticated .

But this is done client side and is not that secure, because anyone can access this code from browser.

So I need that the request for my page goes to server, I tried moka 's solution in How to know if user is logged in with passport.js? :

In app.js :

app.get('/restricted', loggedIn, function(req, res, next) {
// req.user - will exist
// load user orders and render them
});

where the loggedIn() function checks if user is logged in or not.

But this middleware is NEVER called and anyone can still access the "restricted" page. What can I do, so that this gets called?

I am new to AngularJS and NodeJS. Am I doing something wrong here? Any help will be appreciated.

Answer 1

You can use middleware for that purpose.

app.get('/secure-route', secureMiddleware, myMethod)

let secureMiddleware = function(req, res, next) {

    authCheck(...)
        .then(function(result) {
            // pass
            next()
        })
        .catch(function(err) {
            res.status(401).json({
                code: 401,
                message: 'restricted route'
            })
        })
}