问题
I am migrating an old sails.js project which was written in 0.10.5 to 0.12.x. Since the original code was written a long time ago and may have some "non-conforming" code I decided to re-build the project by starting a new sails project and slowly migrating the models/controllers/services while keeping only necessary policies and configuration files.
So far I managed to get the project to lift and now I am starting to deal with the authentication. Ideally, I intend to move to use passport with jwt to replace existing express-jwt.
My old config/http.js looks like so:
module.exports.http = {
bodyParser: function() {
//return require('body-parser')({limit: '900mb'});
var opts = { limit:'50mb' };
var fn;
// Default to built-in bodyParser:
fn = require('skipper');
return fn(opts);
},
customMiddleware: function(app) {
var bodyParser = require('body-parser');
var expressJwt = require('../libs/express-jwt');
var experssJwtConfig = require('./jwt.js').jwt;
app.use(function(req, res, next) {
res.setHeader("Access-Control-Allow-Origin", "*");
next();
});
app.use('/api', expressJwt({secret: experssJwtConfig.secret}));
app.use(bodyParser.json());
app.use(bodyParser.urlencoded());
if(process.env.NODE_ENV == 'development') {
// just for local/development - serve static files
}
}
}
If I understand correctly (I am not well versed in the stack) this code overrides the default body parser (using skipper allowing large files - this is specified in bodyParser), and in addition, changes the middleware used:
Includes a middleware to add
Access-Control-Allow-Origin.For routes under 'api' it invokes the express-jwt middleware which in this implementation (not sure it's the default behavior) looks for the token and then add the user to the request object (which is then used in most of the controllers).
Adds body parser's (
body-parser)jsonandurlencodeto the middleware chain.
My question here is whether I should keep it more or less the same or should I change it? Are there any obvious anti-patterns or security risks? If I use skipper, do I need the body parser json/urlencode middleware?
Would I be able to achieve comparable flows using more standard passport/jwt code? If so, can I achieve this kind of stack with sails-auth or should I role my own?
回答1:
Yes, you can remove the custom middleware. Latest pattern is easier to manage. For starters,
Access-Control-Allow-Origincan be set inconfig/cors.jsYou can use
passport-jwtin a more sailsy way by making use ofsails-authmodule. And splitting the logic intoservices, usingpoliciesto manage the flow etc. The problem withsails-authis, the module in npm has been published over an year ago. It has several bugs. The GitHub repo though has stable version.
I have made a bare minimum auth server in sails, which you can extend for various passport strategies. The server supports local, bearer, JWT strategies out of the box.
Sails Auth Server
来源:https://stackoverflow.com/questions/42229717/migrating-to-sails-js-0-12-middleware-migration