1. 技术文章
  2. How to protect static folder in express with passport

How to protect static folder in express with passport

耗尽温柔 提交于 2020-07-04 05:55:40

问题


I have a project based on express with a required authentication based on passport.

The backoffice is an angularjs app served as static files.

My authentication code is completly based on https://github.com/jaredhanson/passport-local/blob/master/examples/express3-no-connect-flash/app.js

To do not serve the angular app if you are not authenticated. I have try by adding ensureAuthenticated on the /admin route but it make the route not working (404). Once I remove ensureAuthenticated the /admin is served.

app.use(express.static(path.join(__dirname, 'public')));
app.use('/admin', ensureAuthenticated, express.static(path.join(__dirname, 'admin')));
//serve routes
app.use(app.router);

The public folder contains the login page.

How could I achieve this ?


回答1:


You can check the route using middleware and redirect them if they aren't logged in and are hitting admin pages, something like (untested):

app.use(function(req, res, next) {
    if (req.user == null && req.path.indexOf('/admin') === 0)
    {
        res.redirect('/login');
    }
    next(); 
});



回答2:


Ran into same issue, this is what I ended up doing!

app.use doesn't let you chain middlewares in that way. The various app.VERB functions do, but app.use doesn't. That's for one middleware at a time.

If you split the 2 middlewares out into separate calls, you should get the results you want:

app.use('/admin', ensureAuthenticated);
app.use('/admin', express.static(path.join(__dirname, 'admin')));

Cannot use basic authentication while serving static files using express




回答3:


app.use('/admin', function(req,res,next){
 if(req.user){
   return express.static(path.join(__dirname, 'public'));
 } else {
   res.render(403, 'login', {message:'Please, login!'});
 }
});

//serve routes
app.use(app.router);



回答4:


Update for express@4.16.4+, passport-jtw@0.4.0, and passport-jwt@4.0.0

First setup a passport auth strategy. If you use a jwt, you can take a token from a query parameter, if not you can use another Extract function (or multiple using Jwt.ExtractJwt.fromExtractors())

passport.use('basic-user',
    new Jwt.Strategy({
        ...jwtConfig.options,
        jwtFromRequest: Jwt.ExtractJwt.fromUrlQueryParameter('token')
    }, verifyUser)
);

Then you can use a passport authenticate function before serving static files

app.use('/files', [
    passport.authenticate(['basic-user'], { session: false }),
    express.static(path.join(__dirname, 'files')) //make sure you access proper directory
])


来源:https://stackoverflow.com/questions/21335868/how-to-protect-static-folder-in-express-with-passport

标签
node.js
express
passport.js
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!