node implements token-based authentication
This article mainly introduces node to implement token-based authentication. Now I share it with everyone. Friends in need can refer to it.
I have recently studied token-based authentication and introduced this mechanism. Integrated into personal projects. Nowadays, the authentication method of many websites has shifted from the traditional seesion cookie to token verification. Compared with traditional verification methods, tokens do have better scalability and security.
Traditional session cookie authentication
Because HTTP is stateless, it does not record the user's identity. After the user sends the account and password to the server, the background passes the verification, but the status is not recorded, so the next user's request still needs to verify the identity. In order to solve this problem, it is necessary to generate a record containing the user's identity on the server side, that is, session, and then send this record to the user and store it locally in the user's local area, that is, cookie. Next, the user's request will bring this cookie. If the client's cookie and the server's session can match, it means that the user's identity authentication has passed.
Token identity verification
The process is roughly as follows:
When making the first request, the user sends the account number and password
If the background verification passes, a time-sensitive token will be generated, and then this token will be sent to the user.
After the user obtains the token, Store this token locally, usually in localstorage or cookie
. Each subsequent request will add this token to the request header, and all interfaces that need to verify identity will be checked. Verify the token. If the data parsed by the token contains user identity information, the identity verification is passed.
Compared with traditional verification methods, token verification has the following advantages:
In token-based authentication, the token is transmitted through the request header. Instead of storing authentication information in session or cookie. This means stateless. You can send requests to the server from any terminal that can send HTTP requests.
Can avoid CSRF attacks
When the session is read, written or deleted in the application, a file operation will occur in temp folder of the operating system, at least the first time. Assume there are multiple servers and the session is created on the first service. When you send the request again and the request lands on another server, the session information does not exist and you get an "unauthenticated" response. I know, you can solve this problem with a sticky session. However, in token-based authentication, this problem is naturally solved. There is no sticky session problem because the request token is intercepted on every request sent to the server.
The following is an introduction to using node jwt (jwt tutorial) to build a simple token identity verification
Example
When a user When logging in for the first time, submit the account and password to the server. If the server passes the verification, the corresponding token will be generated. The code is as follows:
const fs = require('fs');
const path = require('path');
const jwt = require('jsonwebtoken');
//生成token的方法
function generateToken(data){
let created = Math.floor(Date.now() / 1000);
let cert = fs.readFileSync(path.join(__dirname, '../config/pri.pem'));//私钥
let token = jwt.sign({
data,
exp: created + 3600 * 24
}, cert, {algorithm: 'RS256'});
return token;
}
//登录接口
router.post('/oa/login', async (ctx, next) => {
let data = ctx.request.body;
let {name, password} = data;
let sql = 'SELECT uid FROM t_user WHERE name=? and password=? and is_delete=0', value = [name, md5(password)];
await db.query(sql, value).then(res => {
if (res && res.length > 0) {
let val = res[0];
let uid = val['uid'];
let token = generateToken({uid});
ctx.body = {
...Tips[0], data: {token}
}
} else {
ctx.body = Tips[1006];
}
}).catch(e => {
ctx.body = Tips[1002];
});
});The user passes the verification Store the obtained token locally:
store.set('loginedtoken',token);//store为插件
After the client requests an interface that requires identity verification, the token will be placed in the request header and passed to the server. :
service.interceptors.request.use(config => {
let params = config.params || {};
let loginedtoken = store.get('loginedtoken');
let time = Date.now();
let {headers} = config;
headers = {...headers,loginedtoken};
params = {...params,_:time};
config = {...config,params,headers};
return config;
}, error => {
Promise.reject(error);
})The server intercepts tokens and verifies the legitimacy of all interfaces that require login.
function verifyToken(token){
let cert = fs.readFileSync(path.join(__dirname, '../config/pub.pem'));//公钥
try{
let result = jwt.verify(token, cert, {algorithms: ['RS256']}) || {};
let {exp = 0} = result,current = Math.floor(Date.now()/1000);
if(current <= exp){
res = result.data || {};
}
}catch(e){
}
return res;
}
app.use(async(ctx, next) => {
let {url = ''} = ctx;
if(url.indexOf('/user/') > -1){//需要校验登录态
let header = ctx.request.header;
let {loginedtoken} = header;
if (loginedtoken) {
let result = verifyToken(loginedtoken);
let {uid} = result;
if(uid){
ctx.state = {uid};
await next();
}else{
return ctx.body = Tips[1005];
}
} else {
return ctx.body = Tips[1005];
}
}else{
await next();
}
});The public key and private key used in this example can be generated by yourself. The operation is as follows:
Open the command line Tool, enter openssl, open openssl;
Generate private key: genrsa -out rsa_private_key.pem 2048
Generate public key: rsa -in rsa_private_key.pem -pubout -out rsa_public_key.pem
Click here to view the node back-end code
Click here to view the front-end code
Related recommendations:
node explains the process analysis of executing js
The above is the detailed content of node implements token-based authentication. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to solve the problem of invalid login token
Sep 14, 2023 am 10:57 AM
The problem of invalid login token can be solved by checking the network connection, checking the token validity period, clearing cache and cookies, checking login status, contacting the application developer and strengthening account security. Detailed introduction: 1. Check the network connection, reconnect to the network or change the network environment; 2. Check the token validity period, obtain a new token, or contact the developer of the application; 3. Clear cache and cookies, clear browser cache and Cookie, and then log in to the application again; 4. Check the login status.
How to delete node in nvm
Dec 29, 2022 am 10:07 AM
How to delete node with nvm: 1. Download "nvm-setup.zip" and install it on the C drive; 2. Configure environment variables and check the version number through the "nvm -v" command; 3. Use the "nvm install" command Install node; 4. Delete the installed node through the "nvm uninstall" command.
How to use express to handle file upload in node project
Mar 28, 2023 pm 07:28 PM
How to handle file upload? The following article will introduce to you how to use express to handle file uploads in the node project. I hope it will be helpful to you!
What to do if the login token is invalid
Sep 14, 2023 am 11:33 AM
Solutions to invalid login token include checking whether the Token has expired, checking whether the Token is correct, checking whether the Token has been tampered with, checking whether the Token matches the user, clearing the cache or cookies, checking the network connection and server status, logging in again or requesting a new Token. Contact technical support or developers, etc. Detailed introduction: 1. Check whether the Token has expired. The login Token usually has a validity period set. Once the validity period exceeds, it will be considered invalid, etc.
How to solve the problem of storing user tokens in Redis
May 31, 2023 am 08:06 AM
Redis stores user tokens. When designing a system similar to e-commerce, a common requirement is that each page needs to carry logged-in user information. There are two common solutions: using cookies to save and using JWT to save. But if Redis cache is used in the system, there is also a third solution - caching the user token in Redis. Generate a token when logging in and store it in Redis //Generate a token object and save it in redis redisTemplate.opsForHash().put("token","user",user)
How Vue3+Vite uses dual tokens to achieve senseless refresh
May 10, 2023 pm 01:10 PM
1. Token login authentication jwt: JSONWebToken. It is an authentication protocol that is generally used to verify the requested identity information and identity permissions. Composed of three parts: Header, Hayload, Signatureheader: that is, the header information, which is the basic information describing this token, json format {"alg":"HS256", //indicates the signature algorithm, the default is HMACSHA256 (written as HS256) "type":"JWT"//Indicates the type of Token. JWT tokens are uniformly written as JWT}pa
An in-depth analysis of Node's process management tool 'pm2”
Apr 03, 2023 pm 06:02 PM
This article will share with you Node's process management tool "pm2", and talk about why pm2 is needed, how to install and use pm2, I hope it will be helpful to everyone!
Pi Node Teaching: What is a Pi Node? How to install and set up Pi Node?
Mar 05, 2025 pm 05:57 PM
Detailed explanation and installation guide for PiNetwork nodes This article will introduce the PiNetwork ecosystem in detail - Pi nodes, a key role in the PiNetwork ecosystem, and provide complete steps for installation and configuration. After the launch of the PiNetwork blockchain test network, Pi nodes have become an important part of many pioneers actively participating in the testing, preparing for the upcoming main network release. If you don’t know PiNetwork yet, please refer to what is Picoin? What is the price for listing? Pi usage, mining and security analysis. What is PiNetwork? The PiNetwork project started in 2019 and owns its exclusive cryptocurrency Pi Coin. The project aims to create a one that everyone can participate
