我在我的应用程序上设置了 PassportJS 身份验证,其中包含针对 Facebook、Twitter 和 Google 以及本地的策略。这是我的身份验证路由当前的样子:
// /routes/auth-routes.js
import connectRedis from 'connect-redis';
import express from 'express';
import session from 'express-session';
import uuidv4 from 'uuid/v4';
import facebook from './auth-providers/facebook';
import google from './auth-providers/google';
import local from './auth-providers/local';
import twitter from './auth-providers/twitter';
const RedisStore = connectRedis(session);
const router = express.Router();
router.use(session({
name: process.env.SESSION_COOKIE,
genid: () => uuidv4(),
cookie: {
httpOnly: true,
sameSite: 'strict',
},
secret: process.env.SESSION_SECRET,
store: new RedisStore({
host: process.env.REDIS_HOST,
port: process.env.REDIS_PORT,
ttl: 1 * 24 * 60 * 60, // In seconds
}),
saveUninitialized: false,
resave: false,
}));
// Social auth routes
router.use('/google', google);
router.use('/twitter', twitter);
router.use('/facebook', facebook);
router.use('/local', local);
// Logout
router.get('/logout', (req, res) => {
req.logout();
const cookieKeys = Object.keys(req.cookies);
if(cookieKeys.includes(process.env.USER_REMEMBER_COOKIE)) {
console.log('REMEMBER COOKIE EXISTS!');
const rememberCookie = process.env.USER_REMEMBER_COOKIE;
const sessionCookie = process.env.SESSION_COOKIE;
cookieKeys.forEach((cookie) => {
if(cookie !== rememberCookie && cookie !== sessionCookie) res.clearCookie(cookie);
});
res.redirect(req.query.callback);
} else {
console.log('NO REMEMBER');
req.session.destroy(() => {
cookieKeys.forEach((cookie) => {
res.clearCookie(cookie);
});
res.redirect(req.query.callback);
});
}
});
module.exports = router;
显然,我使用 Redis 来存储 session cookie,然后在每次重新加载页面时将其与所有其他 cookie 一起发送到服务器。这是我的问题:
这就够了吗?我不应该通过在 Redis 存储中查找来验证接收到的 session cookie 的完整性吗?但是,如果我在每次加载页面时都这样做,会不会对性能产生不利影响?处理此问题的标准方法是什么?
repo 在https://github.com/amitschandillia/proost/blob/master/web .
最佳答案
看起来您缺少与 PassportJS 与 express-session 集成的一部分。就像评论中提到的,express-session会将你的session数据存储在redis store中,它的key会存储在发送给用户的cookie中。
但是您是通过 passportJS 登录您的用户,您需要将这两个中间件连接在一起。来自 passportJS 文档:
http://www.passportjs.org/docs/configure/
Middleware
In a Connect or Express-based application, passport.initialize() middleware is required to initialize Passport. If your application uses persistent login sessions, passport.session() middleware must also be used.
app.configure(function() {
app.use(express.static('public'));
app.use(express.cookieParser());
app.use(express.bodyParser());
app.use(express.session({ secret: 'keyboard cat' }));
app.use(passport.initialize());
app.use(passport.session());
app.use(app.router);
});
关于node.js - 如何在每次页面刷新时验证 session cookie 的完整性,应该如何处理?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57752612/