使用 NodeJS 验证包含“Bearer”的 JWT 令牌字符串
[英]Verify a JWT token string, containing 'Bearer ' with NodeJS
问题描述
I send a header in a recommended form Authorization: Bearer <token> .
我以推荐的形式发送标题Authorization: Bearer <token> 。
As it looks, token string, which is 'Bearer <token>' , is not a token, but needs the 'Bearer ' substring to be removed first to get the token string itself.看起来,令牌字符串,即'Bearer <token>' ,不是令牌,但需要先删除'Bearer '子字符串以获取令牌字符串本身。
I wonder, if it's a regular practice to remove it manually from code, like this:我想知道,从代码中手动删除它是否是一种常规做法,如下所示:
const token = authHeaderValue.replace('Bearer ', '')
before decoding and verifying it?在解码和验证之前?
Why do I need this 'Bearer ' string in my custom application?为什么我的自定义应用程序中需要这个'Bearer '字符串?
4 个解决方案
解决方案1
15 2018-08-22 08:49:31
I use this technique.我使用这种技术。
// Header names in Express are auto-converted to lowercase
let token = req.headers['x-access-token'] || req.headers['authorization'];
// Remove Bearer from string
token = token.replace(/^Bearer\s+/, "");
if (token) {
jwt.verify(token, config.secret, (err, decoded) => {
if (err) {
return res.json({
success: false,
message: 'Token is not valid'
});
}
req.decoded = decoded;
next();
});
} else {
return res.json({
success: false,
message: 'Token not provided'
});
}
Here we are stripping off any Bearer string in front of JWT, using a regular expression.在这里,我们使用正则表达式去除 JWT 前面的任何 Bearer 字符串。 If any whitespace is included, it is stripped too.如果包含任何空格,它也会被删除。
解决方案2
11 已采纳 2016-10-12 08:55:27
The value Bearer in the HTTP Authorization header indicates the authentication scheme, just like Basic and Digest . HTTP Authorization标头中的值Bearer表示身份验证方案,就像Basic和Digest 。 It's defined in the RFC 6750 .它在RFC 6750 中定义。
An application can support multiple authentication schemes, so it's always recommended to check the authentication schema first.一个应用程序可以支持多种身份验证方案,因此始终建议先检查身份验证模式。
In a token based authentication, first ensure that the Authorization header contains the Bearer string followed by a space.在基于令牌的身份验证中,首先确保Authorization标头包含后跟空格的Bearer字符串。 If not, refuse the request.如果没有,拒绝请求。 If Bearer followed by a space has been found, extract the token that must be just after the space character.如果找到后跟空格的Bearer ,则提取必须紧跟在空格字符之后的标记。
See this answer for further details on the Bearer authentication scheme.有关Bearer身份验证方案的更多详细信息,请参阅此答案。
解决方案3
0 2016-10-12 08:46:38
Authentication header request have a format defined in IETF.身份验证标头请求具有 IETF 中定义的格式。
ie Authentication :即认证:
Type consists of following: Bearer, error_code, error_description.类型包括以下内容:Bearer、error_code、error_description。
We can send several types at once by delimiting it by ',' character.我们可以通过用“,”字符分隔来一次发送多种类型。
Bearer is an Authentication access type. Bearer 是一种认证访问类型。
Reference: https://tools.ietf.org/html/rfc6750#page-14参考: https : //tools.ietf.org/html/rfc6750#page-14
解决方案4
0 2021-05-25 11:44:49
i use split function to extract token我使用拆分功能来提取令牌
const bearerHeader = req.headers['authorization'];
if(! bearerHeader ){
return res.sendStatus(403);
}
else
{
const bearerToken = bearerHeader.split(' ')[1];
let data = await jwt.verify(bearerToken,secretkey);
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.