A simple site with the possibility of authorization on node.js
In this article I will try to talk about how using node.js and connect to make a simple site with authorization. Those. one where part of the content is available to all, and part only for registered users. Since express.js is based on connect, almost everything that is written here applies to it too.
Suppose you already know what node.js is and how to work with it. Also assume that you already have a simple site with a main page and a couple of extra ones. Here is the source of such a site, an example for this article.
There is such a thing as a session - a period of time while the user is on the site. A session begins when the user first opens the site in the browser and ends when it expires (or when the site wants to terminate it). Each session is associated with a specific data set:
To solve our problem, we need two tables in the database: one for storing session data, and the other for information about users. In fact, in this case it is not entirely correct to say “database table”, the information may be in different places. For example, all session parameters can be stored in cookies (or in the application’s memory, although this is not good). User data can come from outside if it comes in using OpenID / OAuth.
All work on creating a
Order matters, the rules themselves must be defined before specifying the routes. The first rule provides work with cookies in general. The second adds to the usual
As already mentioned,
In principle, one
When the user wants to log in, it will be enough just to delete the added fields:
For a full cleanup, there is a session.destroy () method. It removes the
')
The most obvious solution is to check request.session.authorized whenever you need to generate a secure page. Actually, they do this in the article to which I have already referred. The problem is that this contradicts the “layered” ideology of
Everything. I hope this helps someone.
Suppose you already know what node.js is and how to work with it. Also assume that you already have a simple site with a main page and a couple of extra ones. Here is the source of such a site, an example for this article.
Theory
There is such a thing as a session - a period of time while the user is on the site. A session begins when the user first opens the site in the browser and ends when it expires (or when the site wants to terminate it). Each session is associated with a specific data set:
- unique session id
- validity
- username (if he enters it)
- other service information necessary for identification: ip-address, user agent
- Any other information that the site links to the current user. For example, an electronic store may store in the session a list of items added to the basket.
To solve our problem, we need two tables in the database: one for storing session data, and the other for information about users. In fact, in this case it is not entirely correct to say “database table”, the information may be in different places. For example, all session parameters can be stored in cookies (or in the application’s memory, although this is not good). User data can come from outside if it comes in using OpenID / OAuth.
Connect
All work on creating a
connect session takes over. To do this, add two rules: app.use(connect.cookieParser()); app.use(connect.session({ secret: 'your secret here'} )); Order matters, the rules themselves must be defined before specifying the routes. The first rule provides work with cookies in general. The second adds to the usual
request the session field, through which the session data will be available (further with examples it will become clearer).connect.session gets the following parameters:secretis a phrase that is used to encrypt information in cookies.storeis the object that will be used to store session data. By default, connect keeps all data in memory, but, of course, in real applications, this is not possible. There are ready-made solutions for mongodb , redis , MySQL , etc.cookie- a set of cookie settings. The most important ismaxAge, the lifetime in milliseconds (or null)
Authorization
As already mentioned,
connect will add a session field to each request, but by default there is nothing interesting. If we somehow "find out" the user (actually, if he enters the correct password), we will have to add information about him to the session. Something like this: if ((request.body.login==='Thor')&&(request.body.password==='111')) { request.session.authorized = true; request.session.username = request.body.login; console.log('Thor is here!'); } In principle, one
username variable would suffice (as the author of this article does). But then checking whether the user is authorized will look ugly: if (typeof req.session.username == 'undefined') { // , } When the user wants to log in, it will be enough just to delete the added fields:
delete req.session.authorized; delete req.session.username ; For a full cleanup, there is a session.destroy () method. It removes the
session from the current request, and the next time this field is generated again.')
Access control
The most obvious solution is to check request.session.authorized whenever you need to generate a secure page. Actually, they do this in the article to which I have already referred. The problem is that this contradicts the “layered” ideology of
connect . It is better to set a special rule that will check the user's rights and, if something goes wrong, redirect it to the error page. The idea is described here , in our case will be // , ; var siteUrls = [ {pattern:'^/login/?$', restricted: false} , {pattern:'^/logout/?$', restricted: true} , {pattern:'^/$', restricted: false} , {pattern:'^/single/\\w+/?$', restricted: true} ]; function authorizeUrls(urls) { function authorize(req, res, next) { var requestedUrl = url.parse(req.url).pathname; for (var ui in urls) { var pattern = urls[ui].pattern; var restricted = urls[ui].restricted; if (requestedUrl.match(pattern)) { if (restricted) { if (req.session.authorized) { // , next(); return; } else{ // , res.writeHead(303, {'Location': '/login'}); res.end(); return; } } else { next(); return; } } } // , console.log('common 404 for ', req.url); res.end('404: there is no ' + req.url + ' here'); } return authorize ; } app.use('/', authorizeUrls(siteUrls)); Everything. I hope this helps someone.
Source: https://habr.com/ru/post/145970/
All Articles