问题
In my application, I have implemented the ability to change a users permissions, rank, etc. It works great, if I update my own permissions, I can see the changes instantly since I can update the req.user object via req.login(). Problem is, when I update another users permissions, it updates in the database just fine, but the user will have to relog to see their permissions change since req.user still thinks they don't have the permission. This is fine if they're not logged in of course but if they are, I'd like the change to be reflected immediately for them if possible.
So I'm wondering if there's a way to update another users req.user object so they can see their permissions change right away without having to log out and back in?
Or possibly a way to logout and login that user before returning?
回答1:
Since the permissions are in your own database then sure you can, but how to do it depends on your app.
Given you are using sessions, object stored in req.user is loaded separately for every HTTP request by using the function you provided with passport.deserializeUser. Often you would store the user ID to the session in passport.serializeUser, and then retrieve the user from the database with the ID in deserializeUser. Thus, whenever a request is being handled in the backend you would generally have the latest information in req.user, including the permissions. Naturally your frontend also needs to somehow get the new permissions and adjust itself (eg. if you add admin rights to user, you probably would want them to see the admin options in the UI).
You could of course just pass the whole user object to the session store and skip one database call per request, ie. using these:
passport.serializeUser(function(user, cb) { cb(null, user); });
passport.deserializeUser(function(user, cb) { cb(null, user); });
for session handling. If you do this then the database changes are not reflected upon the req.user object. If the user updated their own information you could just call req.logIn(...), but that you cannot call for other users. You can work around this though - eg. notify the user in question over websocket and make their browser call a route that calls req.logIn with the latest user object, or dig into the session store and manipulate the data there directly.
Or, since forcing a logout is an option you could follow enRaisers answer and locate the users sessions from session store and delete them all which is effectively logging out the user from the backend. You can go through the sessions via the API, or if you use a database (eg. connect-mongo or connect-redis) for session store you can also open another connection to the same database and use normal search and destroy methods. Again you still need handle the logout in the frontend by yourself somehow.
回答2:
You can try to delete the session , or regenerated the sessionID. but this will force that user to re-login.
In case your sessions are stored in mongodb. then you can check collection by name app_sessions and it has a field by name userId.
in Express session there is a module called store. and it providea many API to find session by sessionID. but unfortunately no API to find session by userID.
So if you want to use the session store API then you can call store.all , which will give all session. But this is really cruel method. becasue I dont know how much data it may be holding.
来源:https://stackoverflow.com/questions/39193579/passportjs-is-it-possible-to-change-req-user-for-another-user