[英]Big problem with security (JWT NodeJS), one token for all acces
I have a really big problem with security in my web application. 我的Web应用程序的安全性确实有很大的问题。 I implemented JWT token when user login to my application (REST API returns token).
当用户登录到我的应用程序时,我实现了JWT令牌(REST API返回令牌)。
In my jwt token, I have only userID. 在我的jwt令牌中,我只有userID。 Problem is that, when I would like to login on user with ID = 1,
问题是,当我想登录ID = 1的用户时
I can see and execute rest actions from all other users with the same token. 我可以使用相同的令牌查看并执行所有其他用户的休息操作。 for example:
例如:
When I looged userId = 1, I doing GET action: /api/users/1 and I have a information about user 1. But I can doing action /api/users/2, 3 etc. 当我发现userId = 1时,我正在执行GET操作:/ api / users / 1,并且获得了有关用户1的信息。但是我可以执行/ api / users / 2、3等操作。
All with one token. 全部带有一个令牌。 how to secure it?
如何保护它?
const jwt = require('jsonwebtoken');
const env = require('../config/env.config.js');
module.exports = (req, res, next) => {
try {
const token = req.headers.authorization.split(' ')[1];
const decoded = jwt.verify(token, env.SECRET_KEY);
req.userData = decoded;
next();
} catch (error) {
return res.status(401).json({
message: 'Auth failed',
});
}
};
I think the best solution would be to create middleware that check the id of the sender and attach it to routes, similar to bellow 我认为最好的解决方案是创建一个中间件,该中间件检查发送方的ID并将其附加到路由,类似于波纹管
const middleware = (req, res, next) => { const id = req.params.id || req.body.id || req.query.id if (req.userData.id === id) { next() } else { res.status(403).send({message: "forbidden"}) } } router.get("/api/users/:id", middleware, (req, res) => { // do your staff res.send({message: "ok"}) }) router.put("/api/users/:id", middleware, (req, res) => { // do your staff res.send({message: "ok"}) })
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.