问题
I'm using express.js and passport-jwt and I'm creating a middleware that checks user in every API call and then assigns to req a user. So then every time I log req.user, I get details about my user and that works fine. Then if I want to log this user out I used req.logout(), req.logOut(), req.destroy() and even I tried to assign null to req.user and it still logged in please I need help.
passport config
const JwtStrategy = require('passport-jwt').Strategy;
const ExtractJwt = require('passport-jwt').ExtractJwt;
var passport = require('passport')
const User = require('../schema/userSchema')
var opts = {}
opts.jwtFromRequest = ExtractJwt.fromAuthHeaderAsBearerToken();
opts.secretOrKey = 'social';
exports.Strategy = new JwtStrategy(opts, async (jwt_payload, done) => {
const user = await User.findOne({ _id: jwt_payload.id})
if (!user) {
return done({error:'error'}, false);
}
if (user) {
return done(null, user);
} else {
return done({error:'error'}, false);
}
})
exports.auth = passport.authenticate('jwt', { session: false })
server.js
var express = require('express')
var app = express()
var bodyParser = require('body-parser')
var cors = require('cors')
var passport = require('passport')
var passportmethods = require('./methods/passport')
var postRoute = require('./router/posts')
var authRoute = require('./router/auth')
var friendRoute = require('./router/friend')
var verif = require('./router/user')
app.use('/uploads',express.static('../backend Social/uploads'))
app.use(cors())
app.use(bodyParser.json())
passport.use(passportmethods.Strategy)
app.use('/auth',authRoute)
app.use('/post',passportmethods.auth,postRoute)
app.use('/friend',passportmethods.auth,friendRoute)
app.use('/user',passportmethods.auth,verif)
app.listen(3000,()=>console.log('server on !'))
loggedin and logout
const express = require('express');
const router = express.Router();
const logout = require('express-passport-logout');
const User = require('../schema/userSchema')
router.get('/isloggedin', (req, res, next) => {
if (req.user) res.send(req.user)
else res.send({ error: 'error' })
})
router.get('/logout',async (req, res, next) => {
await User.updateOne({_id:req.user._id},{$set :{connected : false}})
console.log(req.user._id)
req.logOut()
if(req.user)res.send(req.user._id)
else res.send('logged out')
})
module.exports = router;
回答1:
From what I know, you shouldn't implement logout from the server side. Let your clients handle the logout, because we don't store the token anywhere in the server. So, to logout from the client, you simply delete the token. Also, don't store your tokens in the database unless you must do it, and if you are to do it, then hash them like passwords. Storing tokens in the database is risky in case of security vulnerability in the database, the intruder will have all the powers to do whatsoever.
回答2:
First - you use endpoint as middleware. I would try without 'next'. Then - I would try with req.logout() not req.logOut(). Also wrap your await call with try - catch block. Maybe there is problem with the Schema promise.
来源:https://stackoverflow.com/questions/55193862/logout-using-express-and-passport