在 React.JS 和 Node.JS 中实现登录系统
[英]Implementing login system in React.JS & Node.JS
问题描述
I need to implement a login system in MERN stack in which there will be three types of logins.
我需要在 MERN 堆栈中实现一个登录系统,其中将有三种类型的登录。 1. Admin login 2. Student Login 3. Faculty Login 1. 管理员登录 2. 学生登录 3. 教师登录
The admin login will have a pre defined username and password (say admin & admin@123 resp.) which can be changed if needed.The faculty and student will only be able to login if the admin adds new student or faculty from his dashboard.The student and faculty username will be the registration number from college and password will be the date of birth.管理员登录将有一个预定义的用户名和密码(比如 admin 和 admin@123 响应),如果需要可以更改。只有当管理员从他的仪表板添加新学生或教员时,教师和学生才能登录。学生和教职员工的用户名将是学院的注册号,密码将是出生日期。
All the tutorials that i came across are on registration and authentication & since registration is not a part of this project, I'd like to know basically how i should go about with this feature.我遇到的所有教程都是关于注册和身份验证的,因为注册不是这个项目的一部分,我想基本上知道我应该如何使用这个功能。
I am using mongodb as the database.我使用 mongodb 作为数据库。
1 个解决方案
解决方案1
1 已采纳 2020-02-02 13:43:44
You have multiple things going on here:你有很多事情在这里发生:
- authentication: accepting and checking a username and password身份验证:接受并检查用户名和密码
- authorization: once a user has authenticated herself, assigning her the appropriate privilege level (admin, faculty, student in your case).授权:一旦用户对自己进行了身份验证,为她分配适当的权限级别(在您的情况下为管理员、教职员工、学生)。
- registration: in your system only the admin can register new users.注册:在您的系统中,只有管理员才能注册新用户。 This is different from some systems, which permit self-registration.这与某些允许自行注册的系统不同。 Yours does not, according to your requirements.你的没有,根据你的要求。
( Important security tip it's a seriously bad idea to use date of birth for a password. Why? if a cybercreep breaks into your database, he will have a list of names and dates-of-birth. Those are useful for stealing your users' identities. They are also considered personally identifiable information and so they're covered by by GDPR and the California Consumer Privacy Act. But you didn't ask about that.... ) (重要的安全提示,使用出生日期作为密码是一个非常糟糕的主意。为什么?如果网络蠕虫闯入您的数据库,他将拥有姓名和出生日期列表。这些对于窃取您的用户的信息很有用身份。它们也被视为个人身份信息,因此它们受 GDPR 和《加利福尼亚消费者隐私法》的保护。但您没有问过那个......)
Let's take your requirements one-by-one.让我们一一考虑您的要求。
1-authentication. 1-认证。 This is a simple username/password scheme.这是一个简单的用户名/密码方案。 Use the passport module for that, with its local strategy.为此使用护照模块及其本地策略。
2- Authorization. 2- 授权。 When you look up the user also look up her privilege level (again admin or faculty or student).当您查找用户时,还会查找她的权限级别(再次是管理员或教职员工或学生)。 Passport feeds your user a session cookie so they stay logged in. Passport 为您的用户提供会话 cookie,以便他们保持登录状态。
Before you display any page or accept any API request or form-post from a user, check the authorization level.在您显示任何页面或接受来自用户的任何 API 请求或表单发布之前,请检查授权级别。 If the user is not permitted to use the particular feature, send back a 403 error message rather than showing the page or accepting the form.如果不允许用户使用特定功能,请发回 403 错误消息,而不是显示页面或接受表单。
3- Registration. 3-注册。 You need a form for creating / replacing / updating / deleting users (called a CRUD form).您需要一个用于创建/替换/更新/删除用户的表单(称为 CRUD 表单)。 This form must be accessible only to your admin.此表单必须仅供您的管理员访问。
By the way, all this happens on your node / express server.顺便说一句,所有这些都发生在您的节点/快速服务器上。 Your react client must simply pass along the passport-generated session cookie with every request, so the server can look up the user to retrieve the authorization.您的 React 客户端必须简单地随每个请求传递通行证生成的会话 cookie,以便服务器可以查找用户以检索授权。
Thinking about your requirements in this structured fashion should help you apply the stuff you learn from various online tutorials.以这种结构化的方式考虑您的需求应该可以帮助您应用从各种在线教程中学到的东西。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.