我想在Flatiron堆栈中实现身份验证和授权(使用Flatiron,Resourceful和Restful).我想要求用户在尝试更改资源时拥有必要的权限.在Restful Readme文件中,有一个note about authorization:
There are several ways to provide security and authorization for
accessing resource methods exposed with restful. The recommended
pattern for authorization is to use resourceful’s ability forbefore
andafterhooks. In these hooks,you can add additional business logic
to restrict access to the resource’s methods.It is not recommended to place authorization logic in the routing
layer,as in an ideal world the router will be a reflected interface
of the resource. In theory,the security of the router itself should
be somewhat irrelevant since the resource could have multiple
reflected interfaces that all required the same business logic.TL;DR; For security and authorization,you should use resourceful’s
beforeandafterhooks.
因此授权可以由Resourceful的挂钩系统处理.
我的实际问题是每个HTTP请求开始时的身份验证过程.
假设我有一个资源Post,一个User和一个资源Session. REST API是使用Restful定义的.我对这个问题的主要关注是确保用户在创建帖子时有会话.其他方法如保存,更新或其他资源(如创建用户)应该类似.
文件app.js:
var flatiron = require('flatiron');
var app = flatiron.app;
app.resources = require('./resources.js');
app.use(flatiron.plugins.http);
app.use(restful);
app.start(8080,function(){
console.log('http server started on port 8080');
});
文件resources.js:
var resourceful = require('resourceful');
var resources = exports;
resources.User = resourceful.define('user',function() {
this.restful = true;
this.string('name');
this.string('password');
});
resources.Session = resourceful.define('session',function() {
// note: this is not restful
this.use('memory');
this.string('session_id');
});
resources.Post = resourceful.define('post',function() {
this.restful = true;
this.use('memory');
this.string('title');
this.string('content');
});
resources.Post.before('create',function authorization(post,callback) {
// What should happen here?
// How do I ensure,a user has a session id?
callback();
});
还有一个runnable version of the code(感谢@generalhenry).
因此,假设一个用户试图创建一个帖子,已经被赋予了一个会话ID,它随着cookie头的每个请求一起发送.如何在前钩子(即授权回调)中访问该cookie?
该示例可以使用节点app.js启动,并且可以使用curl进行HTTP请求.
通过这种方式检查请求,您将确保每个用户都有有效的会话ID.
app.use(flatiron.plugins.http,{
before: [
connect.favicon(),connect.cookieParser('catpsy speeds'),function(req,res) {
if (req.originalUrl === undefined) {
req.originalUrl = req.url;
}
res.emit('next');
},connect.session({secret : 'secter'}),res) {
console.log('Authenticating...');
console.dir(req.session);
//any other validation logic
if (req.url !== '/login' && typeof req.session.user == 'undefined') {
res.redirect('/login');
} else {
res.emit('next');
}
}
]
});
这是project example使用这种方法.
