nodejs 项目的session验证
原文:https://www.codexpedia.com/node-js/a-very-basic-session-auth-in-node-js-with-express-js/
---------------------------------------------------------------------------------------------------------------------
Authentication is the process of verifying if the user is in fact who he/she is declared to be. Authorization is the process of determining if the user has the privileges to access the resources he/she requested.
This node.js code snippet demonstrated a very simple example of authentication and authorization process using session in express.js. There is a login endpoint, a logout endpoint and get post page. To see the post page, you have to login first, and your identity will be verified and saved in session. When you hit the logout endpoint, it will revoke your access by removing your identity from the session.
session_auth.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
var express = require( 'express' ), app = express(), session = require( 'express-session' ); app.use(session({ secret: '2C44-4D44-WppQ38S' , resave: true , saveUninitialized: true })); // Authentication and Authorization Middleware var auth = function (req, res, next) { if (req.session && req.session.user === "amy" && req.session.admin) return next(); else return res.sendStatus(401); }; // Login endpoint app.get( '/login' , function (req, res) { if (!req.query.username || !req.query.password) { res.send( 'login failed' ); } else if (req.query.username === "amy" || req.query.password === "amyspassword" ) { req.session.user = "amy" ; req.session.admin = true ; res.send( "login success!" ); } }); // Logout endpoint app.get( '/logout' , function (req, res) { req.session.destroy(); res.send( "logout success!" ); }); // Get content endpoint app.get( '/content' , auth, function (req, res) { res.send( "You can only see this after you've logged in." ); }); app.listen(3000); |
To run the above code from command line
1
2
3
|
npm install express npm install express-session node session_auth.js & |
Visit these urls in a browser
localhost:3000/content
localhost:3000/login?username=amy&password=amyspassword
localhost:3000/content
localhost:3000/logout
localhost:3000/content
Code explanation
Import express and express-session modules. Create express app and add session to express app as a middleware.
1
2
3
4
5
6
7
8
|
var express = require( 'express' ), app = express(), session = require( 'express-session' ); app.use(session({ secret: '2C44-4D44-WppQ38S' , resave: true , saveUninitialized: true })); |
Authentication and authorization middleware function. Grant the next step if the user is amy and if she has the admin access. The values to check against is hardcoded for demonstration purpose. A real web app will get the user and user access level from session, and then check against the user and user access lever from a database on the server.
1
2
3
4
5
6
7
|
// Authentication and Authorization Middleware var auth = function (req, res, next) { if (req.session && req.session.user === "amy" && req.session.admin) return next(); else return res.sendStatus(401); }; |
localhost:3000/login?username=amy&password=amyspassword, the login url to check log the user in by saving the user and user access level in a session. The session will be different for each user, and also be unique for the same user using different browsers. For example, if the same user logged in using Chrome, and the open up Firefox, the user will have to login again in FireFox in order to gain protected resources. For demonstration purpose, this is a get request and passing in the info through query parameters. A real web app will usually be using a post request and passing in the data in the post form. Again the user and passwords are hardcoded here for demonstration purpose. A real web app will check the incoming user and password against the user and password stored in a database on there server.
1
2
3
4
5
6
7
8
9
10
|
// Login endpoint app.get( '/login' , function (req, res) { if (!req.query.username || !req.query.password) { res.send( 'login failed' ); } else if (req.query.username === "amy" || req.query.password === "amyspassword" ) { req.session.user = "amy" ; req.session.admin = true ; res.send( "login success!" ); } }); |
localhost:3000/logout, logout by destroy the session. Once the session is destroyed, the user will have to hit the login url again in order to gain protected resources.
1
2
3
4
5
|
// Logout endpoint app.get( '/logout' , function (req, res) { req.session.destroy(); res.send( "logout success!" ); }); |
localhost:3000/content, get the protected contents. The auth function above is passed in the second parameters as a middleware before it proceed to serve the content to the user. If the auth function determined the user is not valid, it will not proceed to the thrid function to serve the content.
1
2
3
4
|
// Get content endpoint app.get( '/content' , auth, function (req, res) { res.send( "You can only see this after you've logged in." ); }); |
Lastly, start the app by listening on port 3000.
1
2
|
app.listen(3000); |
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 智能桌面机器人:用.NET IoT库控制舵机并多方法播放表情
· Linux glibc自带哈希表的用例及性能测试
· 深入理解 Mybatis 分库分表执行原理
· 如何打造一个高并发系统?
· .NET Core GC压缩(compact_phase)底层原理浅谈
· 手把手教你在本地部署DeepSeek R1,搭建web-ui ,建议收藏!
· 新年开篇:在本地部署DeepSeek大模型实现联网增强的AI应用
· Janus Pro:DeepSeek 开源革新,多模态 AI 的未来
· 互联网不景气了那就玩玩嵌入式吧,用纯.NET开发并制作一个智能桌面机器人(三):用.NET IoT库
· 【非技术】说说2024年我都干了些啥