Add a general rule before all routing rules to filter incoming requests, assuming it is a authenticate() function.
In the authenticate() function, extract the timestamp and token fields in the url query. First check the legality of timestamp, for example, it cannot exceed 5 minutes compared to the current time. Then generate a token for verification based on your token rules, and compare it with token in the URL. If they are consistent, the verification passes.
When encountering any illegal situation, immediately return res.status(400).send({ok: -1, errMsg: "<ERROR MESSAGE>"}) and finally next() release legitimate requests.
What does permission management mean here? If it is login verification, you can try passport. This is a token-based plug-in, and it also has a good ecosystem. Basic common verification strategies have ready-made implementations.
If you refer to various roles, users, etc., you can try rbac.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
This is how I do it:
Add a general rule before all routing rules to filter incoming requests, assuming it is a
authenticate()function.In the
authenticate()function, extract thetimestampandtokenfields in the url query. First check the legality oftimestamp, for example, it cannot exceed 5 minutes compared to the current time. Then generate a token for verification based on your token rules, and compare it withtokenin the URL. If they are consistent, the verification passes.When encountering any illegal situation, immediately
return res.status(400).send({ok: -1, errMsg: "<ERROR MESSAGE>"})and finallynext()release legitimate requests.What does permission management mean here? If it is login verification, you can try passport. This is a
token-basedplug-in, and it also has a good ecosystem. Basic common verification strategies have ready-made implementations.If you refer to various roles, users, etc., you can try rbac.