如何限制Express API的访问权限?
[英]How to limit express api access?
问题描述
I am looking for general idea on how to limit access to the api. 
我正在寻找有关如何限制对api的访问的一般想法。 I have authentication implemented and some resources are locked to authenticated users. 我已经实现了身份验证,并且某些资源被锁定到经过身份验证的用户。 But how do i make authorization and grant specific app permissions, so each user in that app can have different permissions? 但是,我如何进行授权并授予特定的应用程序权限,以便该应用程序中的每个用户可以拥有不同的权限?
ie 即
app.get('/users', (req, res) => {
var permissions = {'users_read'};
if(permissions.indexof('token_flags')!=-1){
...} else{return false}
});
or 要么
app.post('/users', permissions('users_read'), ()=>{
...
});
user1: users_read user1: users_read
user2: users_read , users_execute user2: users_read , users_execute
user3: settings_read user3: settings_read
admin1: access_all //user 1&2 and admin will get api resonse, user3 not admin1: access_all //用户1&2和admin会获得api响应,而user3不会
1 个解决方案
解决方案1
0 2016-10-21 09:03:27
you can store your pages into a object as index or key then just set the autorized users type as value in an array way 您可以将页面存储为索引或键的对象,然后以数组方式将经过授权的用户类型设置为值
var user_type = 1; // 1: user, 2: staff, 3: admin
var permissions = {
'users_read': [1, 2, 3],
'users_execute': [2, 3],
'settings_read': [3]
};
app.get('/users', (req, res) => {
var page = 'users_read';
if(permissions[page].indexOf(user_type) != -1){
// autorized
} else{
return false
}
});
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.