我正在尝试使用用户角色保护某些路由(某些路由接受多个角色)。当我在路由处理程序中列出接受的角色时,只有列出的第一个用户角色才允许访问 - 我需要允许列出的所有角色都具有访问权限。
这是解码 JWT 令牌的身份验证中间件文件 (auth.js):
import jwt from "jsonwebtoken";
const auth = (req, res, next) => {
const token = req.header("x-auth-token");
if (!token)
return res
.status(401)
.send({ message: "Access denied. No token provided!" });
try {
const decoded = jwt.verify(token, "SomethingPrivate");
req.user = decoded;
next();
} catch (ex) {
res.status(400).send({ message: "Invalid Token." });
}
};
export const superAdmin = (req, res, next) => {
const token = req.header("x-auth-token");
if (!auth && !token)
return res.status(401).send({ message: "Access denied." });
const decoded = jwt.verify(token, "SomethingPrivate");
if (auth && decoded.role === "superAdmin") {
res.status(200);
next();
} else {
res.status(400).send({ message: "Access denied!" });
}
};
export const admin = (req, res, next) => {
const token = req.header("x-auth-token");
if (!auth && !token)
return res.status(401).send({ message: "Access denied." });
const decoded = jwt.verify(token, "SomethingPrivate");
if (auth && decoded.role === "admin") {
res.status(200);
next();
} else {
res.status(400).send({ message: "Access denied!" });
}
};
export const teacher = (req, res, next) => {
const token = req.header("x-auth-token");
if (!auth || !token)
return res.status(401).send({ message: "Access denied." });
const decoded = jwt.verify(token, "SomethingPrivate");
if (auth && decoded.role === "teacher") {
res.status(200);
next();
} else {
res.status(400).send({ message: "Access denied!" });
}
};
export const student = (req, res, next) => {
const token = req.header("x-auth-token");
if (!auth || !token)
return res.status(401).send({ message: "Access denied." });
const decoded = jwt.verify(token, "SomethingPrivate");
if (auth && decoded.role === "student") {
res.status(200);
next();
} else {
res.status(400).send({ message: "Access denied!" });
}
};
export const parent = (req, res, next) => {
const token = req.header("x-auth-token");
if (!auth) return res.status(401).send({ message: "Access denied." });
const decoded = jwt.verify(token, "SomethingPrivate");
if (auth && decoded.role === "parent") {
res.status(200);
next();
} else {
res.status(400).send({ message: "Access denied!" });
}
};
这是路由器文件(userRoute.js):
import express from "express";
import {
superAdmin,
admin,
teacher,
student,
parent,
} from "../middleware/auth.js";
const router = express.Router();
import {
view,
find,
me,
create,
edit,
update,
viewUser,
} from "../controllers/userController.js";
// Routes
router.get("/", [superAdmin, admin], view); //The route I am struggling with at the moment//
router.post("/", find);
router.get("/me", me);
router.post("/create", superAdmin, create);
router.get("/edituser/:userID", edit);
router.post("/edituser/:userID", [], update);
router.get("/viewuser/:userID", viewUser);
export { router as user };
最后,登录时签名时插入 JWT 有效负载的数据并存储在响应标头中:
const token = jwt.sign(
{
userID: result[0].userID,
firstName: result[0].firstName,
lastName: result[0].lastName,
email: result[0].email,
role: result[0].role,
},
在 userRoute.js 文件中,我尝试在该路由的每个接受的角色之间使用管道运算符,但我似乎无法将角色视为布尔值。
如有任何帮助,我们将不胜感激! (这是在不久的将来将与 React 前端配对的后端。)
中间件函数数组始终像按顺序指定路由一样工作。这意味着,如果您在其中一个中间件函数中调用
res.send(),则数组中的所有下一个函数都尚未使用。我会这样建议,例如:
用于
家长、学生、管理员访问路由的中间件export const parent = (req, res, next) => { const token = req.header("x-auth-token"); if (!auth) return res.status(401).send({ message: "Access denied." }); const decoded = jwt.verify(token, "SomethingPrivate"); if (auth && ["parent", "student", "admin"].includes(decoded.role)) { res.status(200); } else { res.status(400).send({ message: "Access denied!" }); } };仅由
admin访问的路由中间件:export const parent = (req, res, next) => { const token = req.header("x-auth-token"); if (!auth) return res.status(401).send({ message: "Access denied." }); const decoded = jwt.verify(token, "SomethingPrivate"); if (auth && ["admin"].includes(decoded.role))) { res.status(200); } else { res.status(400).send({ message: "Access denied!" }); } };