How to add “authorization” check to selective API's in NodeJs?
Question
I have a react+node based project where I build all my react based components in a dist/ directory and then upload this directory to the server and serve it via nodeJS express.static() method.
server.use(express.static(__dirname + '/dist'))
I have also written a node middleware which captures every request and checks if auth token is passed to it or not.
users.use(function(req, res, next) {
const token = req.headers.authorization
if (token) {
jwt.verify(token, process.env.SECRET_KEY, function(err) {
if (err) {
res.status(400).json({message : err})
} else {
next();
}
});
} else {
res.status(400).json({message : 'Please send a token'})
}
})
But the issue that now I am facing is that, when I run URL such as http://localhost:3001/dashboard , the node middleware also captures it and check for token instead of rendering my webview.
How do I differentiate between webview requests and other server requests in nodeJS
2 answers
solution1
5 2018-08-24 07:27:37
If you need to check auth for only some specific API you can do in following 3 ways:
- Write all the functions(API) that don't use auth above/before your auth check function
`
users.get('/yourAPI1', function(req, res, next) {
//Do your stuff
});
users.get('/yourAPI2', function(req, res, next) {
//Do your stuff
});
users.get('/yourAPI3', function(req, res, next) {
//Do your stuff
});
users.use(function(req, res, next) {
const token = req.headers.authorization
if (token) {
jwt.verify(token, process.env.SECRET_KEY, function(err) {
if (err) {
res.status(400).json({message : err})
} else {
next();
}
});
} else {
res.status(400).json({message : 'Please send a token'})
}
});
//Now those functions which need auth checks
users.post('/yourAPI4', function(req, res, next) {
//Do your stuff
});
users.post('/yourAPI5', function(req, res, next) {
//Do your stuff
});
`
- Modify your Auth function to skip all
GETAPI. NOTE: Use this only if you useGETto load HTML page and not to fetch data like search of any other info.
`
users.use(function(req, res, next) {
//Just a check for `GET` API
if(req.method === 'GET') {return next();}
const token = req.headers.authorization
if (token) {
jwt.verify(token, process.env.SECRET_KEY, function(err) {
if (err) {
res.status(400).json({message : err})
} else {
next();
}
});
} else {
res.status(400).json({message : 'Please send a token'})
}
});
`
- Call Auth function from only those API which needs to check auth like:
`
function checkAuth (req, res, next) {
const token = req.headers.authorization
if (token) {
jwt.verify(token, process.env.SECRET_KEY, function(err) {
if (err) {
res.status(400).json({message : err})
} else {
next();
}
});
} else {
res.status(400).json({message : 'Please send a token'})
}
});
//Escaping auth check
users.get('/yourAPI6', function(req, res, next) {
//Do your stuff
});
//Need auth for this
users.get('/yourAPI7', checkAuth, function(req, res, next) {
//Do your stuff
});
users.post('/yourAPI8', function(req, res, next) {
//Do your stuff
});
users.post('/yourAPI9', checkAuth function(req, res, next) {
//Do your stuff
});
users.put('/yourAPI10', function(req, res, next) {
//Do your stuff
});
users.put('/yourAPI11', checkAuth function(req, res, next) {
//Do your stuff
});
`
Out of all these I will prefer 3rd one as It gives you flexibility to use as a function and anywhere you need it.
solution2
1 2018-08-24 07:08:18
You need to add a redirection for all your routes to point to your index.html or whatever is your start page.
/* route to static files */
server.use('/static-route-here', express.static(__dirname + '/static-folder-here'))
/* multiple definitions of other server routes */
server.get('api/*', authMiddleWare ,(req, res) => {
/*do api stuff here*/
})
/* anything else is redirected to index.html */
server.get('*', (req, res) => {
res.sendFile(__dirname + '/index.html');
})
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.