创建一个中间件函数来检查用户角色是否等于 'Admin'

Creating a middleware function to check if user role is equal to 'Admin'

我正在使用最新的 MEAN Stack 技术创建博客。登录用户可以创建具有 'admin' 和 'moderator.

角色的新用户

Creating a new user with an admin role or moderator role

此路由受保护,目前只有登录用户才能访问。这是用于检查用户是否已通过身份验证的中间件。

//check_auth.js

const jwt = require('jsonwebtoken');

module.exports = (req, res, next) => {
  try {
    const token = req.headers.authorization.split(' ')[1];
    jwt.verify(token,  'my_jwt_secret');
    next();
  } catch (error) {
    res.status(401).json({ message: 'Auth failed!'});
  }


};

我应用这个中间件来保护对我的一些路由的未授权访问。我想创建一个类似的中间件,我在其中检查用户是否是管理员。所以我可以在创建用户的路由上应用这个中间件,所以只有授权用户和具有 'admin' 角色的用户才能创建新用户。

我认为这有助于创建中间件。当用户登录时,id、电子邮件和角色存储在 jwt 中。 

router.post("/login", (req, res, next) => {
  let fetchedUser;
  User.findOne({ email: req.body.email })
    .then(user => {
      if (!user) {
        return res.status(401).json({
          message: "Auth failed"
        });
      }
      fetchedUser = user;
      return bcrypt.compare(req.body.password, user.password);
    })
    .then(result => {
      if (!result) {
        return res.status(401).json({
          message: "Auth failed"
        });
      }
      const token = jwt.sign(
        { email: fetchedUser.email, userId: fetchedUser._id, role: fetchedUser.role },
        "my_jwt_secret",
        { expiresIn: "1h" }
      );
      res.status(200).json({
        token: token,
        expiresIn: 3600
      });
    })
    .catch(err => {
      return res.status(401).json({
        message: "Auth failed"
      });
    });
});

完整代码可以在我的 GitHub 存储库中找到:https://github.com/rajotam/Eleven

将路由处理程序添加到所有需要验证的端点,并在需要的地方导入它。 https://expressjs.com/en/guide/routing.html

例如

router.post('/login', verify.isAdmin, (req, res, next) => {
    //do something
})

//单独文件中的验证函数

module.exports = {
    isAdmin: (req, res, next) =>{
        if(req.user.admin){
            next();
        }else{
            res.status(403).send();
        }
    }
}

完整代码示例:

https://medium.com/@maison.moa/using-jwt-json-web-tokens-to-authorize-users-and-protect-api-routes-3e04a1453c3e

https://medium.freecodecamp.org/securing-node-js-restful-apis-with-json-web-tokens-9f811a92bb52

当您创建令牌时

const token = jwt.sign(
 { email: fetchedUser.email, userId: fetchedUser._id, role: fetchedUser.role },
 "your_jwt_secret",
 { expiresIn: "1h" });

emailuserIdrole 附加有此令牌。现在您可以在令牌解码时使用它们。

在路由上应用中间件以获取用户身份验证后

 // You did this
 // jwt.verify(token,  'my_jwt_secret');
 // You need to store this into variable so that you can use them 
 // use them in going request.

 const decodedToken = jwt.verify(token,  'your_jwt_secret');

    /*
     This decodedToken holds email, userId and role
     you can pass it to req
     req.userId = decodedToken.userId
     req.email = decodedToken.email
     req.role = decodedToken.role
     next()
    */

这里只有重要的代码是 try 块

try {
    const token = req.headers.authorization.split(' ')[1];
    const decodedToken = jwt.verify(token,  'my_jwt_secret');
    req.userId = decodedToken.userId
    req.email = decodedToken.email
    req.role = decodedToken.role
    next()
 }

在你的路线上

router.post('/login', checkAuthMiddleware, (req, res, next) => {
    //Now you have userId, role and email Id to use
    const userId = req.userId
    const role = req.role
    const email = req.email
   // Now you can separate user role here
   // Write some other logic here
})

 const jwt = require("jsonwebtoken");

module.exports = (req, res, next) => {
  try {
    const token = req.headers.authorization.split(" ")[1];
    const decodedToken = jwt.verify(token, process.env.JWT_KEY);
    req.userData = { email: decodedToken.email, userId: decodedToken.userId, role: decodedToken.role};
    next();
  } catch (error) {
    res.status(401).json({ message: "You are not authenticated!" });
  }
};