我正在嘗試使用使用者角色保護某些路由(某些路由接受多個角色)。當我在路由處理程序中列出接受的角色時,只有列出的第一個使用者角色才允許存取 - 我需要允許列出的所有角色都具有存取權限。
這是解碼 JWT 令牌的驗證中間件檔案 (auth.js):
import jwt from "jsonwebtoken";
const auth = (req, res, next) => {
const token = req.header("x-auth-token");
if (!token)
return res
.status(401)
.send({ message: "Access denied. No token provided!" });
try {
const decoded = jwt.verify(token, "SomethingPrivate");
req.user = decoded;
next();
} catch (ex) {
res.status(400).send({ message: "Invalid Token." });
}
};
export const superAdmin = (req, res, next) => {
const token = req.header("x-auth-token");
if (!auth && !token)
return res.status(401).send({ message: "Access denied." });
const decoded = jwt.verify(token, "SomethingPrivate");
if (auth && decoded.role === "superAdmin") {
res.status(200);
next();
} else {
res.status(400).send({ message: "Access denied!" });
}
};
export const admin = (req, res, next) => {
const token = req.header("x-auth-token");
if (!auth && !token)
return res.status(401).send({ message: "Access denied." });
const decoded = jwt.verify(token, "SomethingPrivate");
if (auth && decoded.role === "admin") {
res.status(200);
next();
} else {
res.status(400).send({ message: "Access denied!" });
}
};
export const teacher = (req, res, next) => {
const token = req.header("x-auth-token");
if (!auth || !token)
return res.status(401).send({ message: "Access denied." });
const decoded = jwt.verify(token, "SomethingPrivate");
if (auth && decoded.role === "teacher") {
res.status(200);
next();
} else {
res.status(400).send({ message: "Access denied!" });
}
};
export const student = (req, res, next) => {
const token = req.header("x-auth-token");
if (!auth || !token)
return res.status(401).send({ message: "Access denied." });
const decoded = jwt.verify(token, "SomethingPrivate");
if (auth && decoded.role === "student") {
res.status(200);
next();
} else {
res.status(400).send({ message: "Access denied!" });
}
};
export const parent = (req, res, next) => {
const token = req.header("x-auth-token");
if (!auth) return res.status(401).send({ message: "Access denied." });
const decoded = jwt.verify(token, "SomethingPrivate");
if (auth && decoded.role === "parent") {
res.status(200);
next();
} else {
res.status(400).send({ message: "Access denied!" });
}
};
這是路由器檔案(userRoute.js):
import express from "express";
import {
superAdmin,
admin,
teacher,
student,
parent,
} from "../middleware/auth.js";
const router = express.Router();
import {
view,
find,
me,
create,
edit,
update,
viewUser,
} from "../controllers/userController.js";
// Routes
router.get("/", [superAdmin, admin], view); //The route I am struggling with at the moment//
router.post("/", find);
router.get("/me", me);
router.post("/create", superAdmin, create);
router.get("/edituser/:userID", edit);
router.post("/edituser/:userID", [], update);
router.get("/viewuser/:userID", viewUser);
export { router as user };
最後,登入時簽章時插入 JWT 有效負載的資料並儲存在回應標頭中:
const token = jwt.sign(
{
userID: result[0].userID,
firstName: result[0].firstName,
lastName: result[0].lastName,
email: result[0].email,
role: result[0].role,
},
在 userRoute.js 檔案中,我嘗試在該路由的每個接受的角色之間使用管道運算符,但我似乎無法將角色視為布林值。
如有任何幫助,我們將不勝感激! (這是在不久的將來將與 React 前端配對的後端。)
中間件函數數組總是像按順序指定路由一樣工作。這意味著,如果您在其中一個中間件函數中呼叫
res.send(),則數組中的所有下一個函數都尚未使用。我會這樣建議,例如:
用於
#家長、學生、管理員存取路由的中間件export const parent = (req, res, next) => { const token = req.header("x-auth-token"); if (!auth) return res.status(401).send({ message: "Access denied." }); const decoded = jwt.verify(token, "SomethingPrivate"); if (auth && ["parent", "student", "admin"].includes(decoded.role)) { res.status(200); } else { res.status(400).send({ message: "Access denied!" }); } };僅由
admin存取的路由中間件:export const parent = (req, res, next) => { const token = req.header("x-auth-token"); if (!auth) return res.status(401).send({ message: "Access denied." }); const decoded = jwt.verify(token, "SomethingPrivate"); if (auth && ["admin"].includes(decoded.role))) { res.status(200); } else { res.status(400).send({ message: "Access denied!" }); } };