我不想用快递发回表单数据,但它确实如此,还是它?
[英]I don't want to send form data back with express, but it does, or does it?
问题描述
I know the title of this question might sound confusing, but my problem is actually simple.
我知道这个问题的标题可能听起来令人困惑,但我的问题实际上很简单。 I have these two handlers for /login get and post requests:我有这两个用于/login get 和 post 请求的处理程序:
loginRender(req, res) {
let options = { title: 'Login', layout: 'auth.hbs' }
res.render('login', options)
}
login (req,res){
let user = Routes.findUser(req.body.username)
let passwordCorrect = Routes.hashCompare(
req.body.password,
user.password
)
if (passwordCorrect) {
let token = Routes.jwtsign(req.body.username)
let refreshToken = Routes.jwtRefreshToken(req.body.username)
Routes.authRedirect(res, token, refreshToken)
} else {
Routes.badRequestRedirect(res, '/login')
}
}
authRedirect(res, token, refreshToken )
{
let options = {
cssPath: 'styles/querystyle.css',
}
res.cookie('access_token', `${token}`, { httpOnly: true })
res.cookie('refresh_token', `${refreshToken}`, { httpOnly: true })
res.status(200).render('query', options)
}
// app.use(urlencoded)
// app.use(cookieParser)
// app.post('/login', login)';
// app.get('/login', loginRender)
Please, ignore all unrelated stuff.请忽略所有无关的东西。
So, everytime I complete login, I get my webpage rendered and I can actually open inspector and see this:所以,每次我完成登录时,我都会呈现我的网页,我实际上可以打开检查器并看到这个:
Page Inspector页面检查器
Address line地址栏
How can I fix that?我该如何解决? I want my user to be redirected to dashboard-like page and not to receive his sensitive data in insecure form.我希望我的用户被重定向到类似仪表板的页面,而不是以不安全的形式接收他的敏感数据。
UPD UPD
there's also auth middleware that only appends req.username in case we did parse jwt successfully, and there's a little bit of interaction with it, but it does not appear on page until I go to this page manually by writing the address in address line.还有 auth 中间件,它只附加 req.username 以防我们成功解析 jwt,并且与它有一些交互,但它不会出现在页面上,直到我通过在地址行中写入地址手动转到此页面。
1 个解决方案
解决方案1
1 已采纳 2021-07-06 16:20:03
If you don't send the data to the Express server, then you can't read it in you login function and you can't authenticate the user.如果您不将数据发送到 Express 服务器,那么您将无法在login功能中读取它,也无法对用户进行身份验证。
It is not a problem is the user can use the tools in their own browser to inspect the data that they entered.这不是问题,因为用户可以使用他们自己浏览器中的工具来检查他们输入的数据。
You need it to be encrypted in transport (ie use HTTPS and not plain HTTP, at least in production) but you don't need to worry about the user finding out their own password.您需要在传输中对其进行加密(即使用 HTTPS 而不是普通的 HTTP,至少在生产中),但您无需担心用户会发现自己的密码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.