1

我正在使用 basicAuth 对特定地址上的 POST 进行身份验证。

在客户端,我使用以下形式的命令:

$.ajax({
        type: "POST",
        accepts: "text/plain",
        url: "http://localhost:3000/somewhere",
        data: JSON.stringify(something),
        contentType: "application/json; charset=UTF-8", 
        dataType: "json",
        success: function(data) {
            window.alert("Received back: '" + data + "'");
        },
        username: theUsername,
        password: "a password"
    });

这工作正常,因为存储在用户名中的用户名通过了我在节点上拥有的身份验证机制。当用户通过身份验证时,我可以打印一个 console.log 语句并查看谁实际通过了身份验证(我目前没有验证密码)。但随后开始对 POST 请求进行实际处理。但是,那时我如何才能找出原始请求中使用的用户名和密码?我试图查看请求的标头,但我没有看到任何内容。

4

1 回答 1

2

当您收到基本身份验证请求时,您应该能够读取中的“授权”标头req.headers.authorization您必须提取 base64 编码的凭据,然后对其进行解码。大概,在 Express 你使用req.header("authorization")req.get("authorization")

对于一个独立的示例,请查看我在下面复制的https://gist.github.com/charlesdaniel/1686663以供将来参考

var http = require('http');

var server = http.createServer(function(req, res) {
        // console.log(req);   // debug dump the request

        // If they pass in a basic auth credential it'll be in a header called "Authorization" (note NodeJS lowercases the names of headers in its request object)

        var auth = req.headers['authorization'];  // auth is in base64(username:password)  so we need to decode the base64
        console.log("Authorization Header is: ", auth);

        if(!auth) {     // No Authorization header was passed in so it's the first time the browser hit us

                // Sending a 401 will require authentication, we need to send the 'WWW-Authenticate' to tell them the sort of authentication to use
                // Basic auth is quite literally the easiest and least secure, it simply gives back  base64( username + ":" + password ) from the browser
                res.statusCode = 401;
                res.setHeader('WWW-Authenticate', 'Basic realm="Secure Area"');

                res.end('<html><body>Need some creds son</body></html>');
        }

        else if(auth) {    // The Authorization was passed in so now we validate it

                var tmp = auth.split(' ');   // Split on a space, the original auth looks like  "Basic Y2hhcmxlczoxMjM0NQ==" and we need the 2nd part

                var buf = new Buffer(tmp[1], 'base64'); // create a buffer and tell it the data coming in is base64
                var plain_auth = buf.toString();        // read it back out as a string

                console.log("Decoded Authorization ", plain_auth);

                // At this point plain_auth = "username:password"

                var creds = plain_auth.split(':');      // split on a ':'
                var username = creds[0];
                var password = creds[1];

                if((username == 'hack') && (password == 'thegibson')) {   // Is the username/password correct?

                        res.statusCode = 200;  // OK
                        res.end('<html><body>Congratulations you just hax0rd teh Gibson!</body></html>');
                }
                else {
                        res.statusCode = 401; // Force them to retry authentication
                        res.setHeader('WWW-Authenticate', 'Basic realm="Secure Area"');

                        // res.statusCode = 403;   // or alternatively just reject them altogether with a 403 Forbidden

                        res.end('<html><body>You shall not pass</body></html>');
                }
        }
});


server.listen(5000, function() { console.log("Server Listening on http://localhost:5000/"); });
于 2013-10-26T01:48:29.923 回答