我正在使用 JSON Web 令牌进行身份验证的 MEAN 应用程序.基本上在每个请求上,我都会检查用户是否有一个有效的令牌.如果是,他们可以通过路由,否则他们将返回到登录页面.
I'm working on a MEAN application with authentication using JSON web tokens. basically on every request, I am checking to see if user has a valid token. if so they can go through to the route, otherwise they are returned to login page.
我想让某些路由/admin/etc... 只有同时也是管理员的登录用户才能访问.我在 mongo 中设置了一个 isAdmin 标志.我是 nodejs 的新手,想知道检查这个的最佳方法是什么.我是否在路线的角度侧进行?或者我可以以某种方式在身份验证时创建基于权限的令牌?作为参考,我正在关注 MEAN Machine 书中的代码,特别是这里 -
I want to make certain routes /admin/etc... only accessible to logged in users who are also admin. I have set up an isAdmin flag in mongo. I am new to nodejs and wondering what is the best way to check this. Do I do it on the angular side in routes? Or can I somehow create permission-based tokens on authentication? For reference, I am following the code from the MEAN Machine book, in particular here -
首先,授权决策必须在服务器端完成.按照您的建议在 Angular.js 的客户端执行此操作也是一个好主意,但这只是为了改善用户体验,例如不向用户显示指向他们无权访问的内容的链接.
First, authorization decisions must be done on the server side. Doing it on the client side in Angular.js as you suggested is also a good idea, but this is only for the purpose of improving the user's experience, for example not showing the user a link to something they don't have access to.
使用 JWT,您可以在令牌中嵌入关于用户的声明,如下所示:
With JWTs, you can embed claims about the user inside the token, like this:
var jwt = require('jsonwebtoken');
var token = jwt.sign({ role: 'admin' }, 'your_secret');
要映射权限以表达路由,您可以使用 connect-roles 构建干净可读的授权中间件功能.例如,假设您的 JWT 在 HTTP 标头中发送,并且您有以下(简单的)授权中间件:
To map permissions to express routes, you can use connect-roles to build clean and readable authorization middleware functions. Suppose for example your JWT is sent in the HTTP header and you have the following (naive) authorization middleware:
// Naive authentication middleware, just for demonstration
// Assumes you're issuing JWTs somehow and the client is including them in headers
// Like this: Authorization: JWT {token}
app.use(function(req, res, next) {
var token = req.headers.authorization.replace(/^JWT /, '');
jwt.verify(token, 'your_secret', function(err, decoded) {
if(err) {
} else {
req.user = decoded;
With that, you can enforce your authorization policy on routes, like this:
var ConnectRoles = require('connect-roles');
var user = new ConnectRoles();
user.use('admin', function(req) {
return req.user && req.user.role === 'admin';
app.get('/admin', user.is('admin'), function(req, res, next) {
请注意,发行 & 有更好的选择.验证 JWT,例如 express-jwt,或使用 passport 与 passort-jwt
Note that there are much better options for issuing & validating JWTs, like express-jwt, or using passport in conjunction with passort-jwt
这篇关于Node.js/Angular.js 管理员授权路由的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!