最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客

javascript - Expressjs authentication - Stack Overflow

programmeradmin1浏览0评论

I have some questions regarding login and sessions. I have this code:

The db query:

login: function(req,callback) {
    var query = 'SELECT id FROM users WHERE email = "' + req.body.email_login + '" AND password = "' + hashlib.sha1(req.body.password_login) + '" LIMIT 1';
    client.query(query, callback);
}

The route:

app.post('/login', function(req, res, next) {

    users.login(req,function(err, results) {
        if (err) {
            res.render('index');
        } else if (results[0]) {
            req.session.userdata = results[0];
                req.session.is_logged_in = true;
                res.render('site/news');
        }

    }
}

Auth middleware:

var auth = function (req, res, next) {
    if (req.session.userdata && req.session.is_logged_in === true) {
        next();
    } else {
        res.redirect('/');
    }
}

I use db store for the session.

Now my questions are:

1) Is this a safe way to do it? Or should I consider doing it some other way?

2) Say I have this URL /domain/users/1, where the last segment is the user id which is used to fetch user data. And on that view I have a form for changing user data. Is it safe to check if the user id matches the session user id and then show the form?

In the view:

// e.g. get the session.id from dynamichelper
if (data.userid === session.userdata.id) {
    // The form where user can change his data contained within here
}

The server is going to use SSL.

Thanks in advance

George

I have some questions regarding login and sessions. I have this code:

The db query:

login: function(req,callback) {
    var query = 'SELECT id FROM users WHERE email = "' + req.body.email_login + '" AND password = "' + hashlib.sha1(req.body.password_login) + '" LIMIT 1';
    client.query(query, callback);
}

The route:

app.post('/login', function(req, res, next) {

    users.login(req,function(err, results) {
        if (err) {
            res.render('index');
        } else if (results[0]) {
            req.session.userdata = results[0];
                req.session.is_logged_in = true;
                res.render('site/news');
        }

    }
}

Auth middleware:

var auth = function (req, res, next) {
    if (req.session.userdata && req.session.is_logged_in === true) {
        next();
    } else {
        res.redirect('/');
    }
}

I use db store for the session.

Now my questions are:

1) Is this a safe way to do it? Or should I consider doing it some other way?

2) Say I have this URL /domain/users/1, where the last segment is the user id which is used to fetch user data. And on that view I have a form for changing user data. Is it safe to check if the user id matches the session user id and then show the form?

In the view:

// e.g. get the session.id from dynamichelper
if (data.userid === session.userdata.id) {
    // The form where user can change his data contained within here
}

The server is going to use SSL.

Thanks in advance

George

Share Improve this question edited Mar 8, 2017 at 13:37 Mouneer 13.5k3 gold badges37 silver badges45 bronze badges asked Dec 9, 2011 at 11:41 georgesampergeorgesamper 5,1795 gold badges44 silver badges59 bronze badges
Add a ment  | 

2 Answers 2

Reset to default 6

In the db query code, check for req.body.email_login and req.body.password_login to make sure they're not null and that they're strings. Someone could sent an empty response and that will generate an Internal Error on your side.

Also in the route, you might want to log the error and redirect the user to the /500.html page (internal error):

if (err) {
  console.log(error);
  res.redirect('500');
} else ...

You shouldn't do this in the view:

if(data.userid === session.userdata.id) { //The form where user can change his data contained within here }

Try instead to achieve this in the model (preferably), make a function for it and pass only one parameter to the view like so:

res.render('view', { loggedIn: true });

The function from the model:

function checkUser(id, session) {
  return (userid === session.userdata.id);
}
...
module.exports.checkUser = checkUser;

You can call it from the route like so (for ex):

res.render('view', { loggedIn: model.checkUser(req.body.id, req.session); }

You might also want to look at http://passportjs/

发布评论

评论列表(0)

  1. 暂无评论