stackoom
  简体   繁体   中英

Expressjs authentication

 原文  2011-12-09 11:41:02       javascript/ authentication/ node.js/ express

Question

I have some questions regarding login and sessions. I have this code:

The db query: 

login: function(req,callback) {
    var query = 'SELECT id FROM users WHERE email = "' + req.body.email_login + '" AND password = "' + hashlib.sha1(req.body.password_login) + '" LIMIT 1';
    client.query(query, callback);
}

The route: 

app.post('/login', function(req, res, next) {

    users.login(req,function(err, results) {
        if (err) {
            res.render('index');
        } else if (results[0]) {
            req.session.userdata = results[0];
                req.session.is_logged_in = true;
                res.render('site/news');
        }

    }
}

Auth middleware: 

var auth = function (req, res, next) {
    if (req.session.userdata && req.session.is_logged_in === true) {
        next();
    } else {
        res.redirect('/');
    }
}

I use db store for the session.

Now my questions are:

1) Is this a safe way to do it? Or should I consider doing it some other way?

2) Say I have this URL /domain/users/1 , where the last segment is the user id which is used to fetch user data. And on that view I have a form for changing user data. Is it safe to check if the user id matches the session user id and then show the form?

In the view: 

// e.g. get the session.id from dynamichelper
if (data.userid === session.userdata.id) {
    // The form where user can change his data contained within here
}

The server is going to use SSL.

Thanks in advance

George

2 answers

solution1
 6 ACCPTED  2011-12-09 12:55:00

In the db query code, check for req.body.email_login and req.body.password_login to make sure they're not null and that they're strings. Someone could sent an empty response and that will generate an Internal Error on your side.

Also in the route, you might want to log the error and redirect the user to the /500.html page (internal error): 

if (err) {
  console.log(error);
  res.redirect('500');
} else ...

You shouldn't do this in the view: 

if(data.userid === session.userdata.id) { //The form where user can change his data contained within here }

Try instead to achieve this in the model (preferably), make a function for it and pass only one parameter to the view like so: 

res.render('view', { loggedIn: true });

The function from the model: 

function checkUser(id, session) {
  return (userid === session.userdata.id);
}
...
module.exports.checkUser = checkUser;

You can call it from the route like so (for ex): 

res.render('view', { loggedIn: model.checkUser(req.body.id, req.session); }

solution2
 1  2012-12-12 15:55:23

您可能还想看看http://passportjs.org/

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question User Authentication with ExpressJS and CouchDB Angularjs, Expressjs and passportjs for authentication checks on server side ExpressJs + Passport.js + MySQL Authentication Creating an Authentication Header in ExpressJS . Translation of Java to Javascript Authentication ExpressJS -> passportJs: Error: Can't set headers after they are sent ExpressJS and Angular - 'leaving' the app to do server-side authentication How Can I Send an Authentication Token to Expressjs from React with Firebase Auth expressjs: how to use authentication function in another file attached to server.js? ExpressJS require ExpressJS Installation
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM