Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
513 views
in Technique[技术] by (71.8m points)

node.js - Mongoose/Express authorisation on http verbs

I've got a node.js REST service running on mongoose and express. I'm also using merse to get my routing set up.

What I'd like to achieve now are the following types of sceanrios:

Scenario I: e.g. blogpost
- GET -> no authentication required
- POST/PUT/DELETE -> authentication required

Scenario II: e.g. user
- GET -> authentication required
- POST/PUT/DELETE -> authentication required plus username of logged in user has to match

I've allready had a look at everyauth and mongoose-auth, but couldn't find anything which would give me this kind of control.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Forget about everyauth. This library is an overkill, imho. Implementing authentication is quite simple actually, follow the schema:

  1. User passes username and password to the server;
  2. Server gets username and password and checks in DB whether there is a user with that password. If there is no user, just respond with an error;
  3. We have a user, now use built-in session mechanism of Express. Call req.session.regenerate and in the callback do req.session.userID = user.id. Express will automatically send the cookie to the user;
  4. Create a middleware (has to fire before any other request handler), which basically searches the database for req.session.userID. If it finds one, then store it in req, i.e. req.user = user;
  5. In a view you simply check whether req.user variable is set. If it is, then we are authenticated. And you're done!

ad 1+2) To make authentication safe, you should use some cryptography (and/or HTTPS). For example, the password should be held in DB in two parts: salt and hash. salt is generated randomly (at the time of registration) and hash = hash_it(pwd, salt), where hash_it is some hashing algorithm (for example: MD5 or SHA256).

Now client side authentication can be made in several steps (only if you can use JavaScript):

  1. Server sends random new_salt to the login page (or generate one in JavaScript, there is no need to hide generating algorithm);
  2. User sends AJAX request give me salt for user X and server responds with the salt stored in DB (the salt is public);
  3. On response hash pwd with salt and then hash the result again with new_salt, store it in variable hpwd;
  4. Client sends username, hpwd and new_salt to the server;
  5. Server gets pwd from DB for username, hashes pwd with new_salt and compares the result to hpwd (note: you do not store new_salt).

This method is nice, since every time you log in a random (from the external point of view) data flows through net, even though the username and the password is the same.

This is important, because password leak is a serious thing. Not because someone can break your app's account (that's a minor damage, unless you're a bank - but then you wouldn't ask such questions :D ). Mostly because people tend to use the same passwords for multiple sites, including bank accounts.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...