3

尝试验证令牌时遇到问题(在生成它之前我向它添加了一些数据之前它工作正常)..但现在它似乎不起作用!

这就是我在用户发送 POST 请求(登录)时生成令牌的方式

require('dotenv')
const jwt       = require('jsonwebtoken');
const bcrypt    = require('bcryptjs')
const Role      = require('../models/Role');
const Section   = require('../models/Section');
const User      = require('../models/User');

// Login !
router.post('/', async (req, res) => {

    let sections_fetched = [];


    // Validate data 
        
    // Check username
    const user = await User.findOne({username: req.body.username });
    if(!user) return res.status(400).send('Wrong user login credentials !');

    // Check password
    const is_pass_valid = await bcrypt.compare(req.body.password , user.password);
    if (!is_pass_valid) return res.status(400).send('Wrong user login credentials !');


    // Get role Object:
    const _role = await Role.findOne({_id:user.role , is_deleted:false});
    if (!_role) res.json("Failed fetching role !");


    // loop through sections   
    for (let index = 0; index < _role.sections.length; index++) {

        const tmpRole = await Section.find({_id: _role.sections[index], is_deleted:false});
        sections_fetched.push({access:tmpRole[0].access , name:tmpRole[0].name});
    }


    // create jwt token
    const token = jwt.sign({username:user.username, role:{name:_role.name, sections:sections_fetched}}, 'secret', {expiresIn : '24h'}, process.env.JWT_TOKEN_SECRET);
    res.json({token:token});

});

这是我的 JWT 验证中间件:

require('dotenv')
const jwt = require('jsonwebtoken');

module.exports = function (req, res, next) {

    const token = req.header('auth-token');

    if (!token) return res.status(401).send('Access Denied !');
    console.log(process.env.JWT_TOKEN_SECRET);
    console.log(token);

    try 
    {
        
        const verified = jwt.verify(token, process.env.JWT_TOKEN_SECRET);
        req.user = verified;  
        next();

    } 
    catch (error) 
    {
        res.status(400).send('Invalid token !');
    }
}

这是一个列出用户的简单示例(使用 JWT 验证中间件!):

const verifyToken = require('../middlewares/verifyToken'); // my jwt middleware to verify !

// Listing All users
router.get('/', verifyToken, async (req, res) => 
{
    try 
    { 
        const users = await User.find({is_deleted:false});
        res.json(users);
    }
    catch (error) 
    {
        console.log("err ->\n"+error);
        res.json({message: error});
    } 
});
4

2 回答 2

3

下面一行的“秘密”是什么?似乎您要添加两次密钥,将硬编码的单词“秘密”替换为来自 env 的令牌

const token = jwt.sign({username:user.username, role:{name:_role.name, sections:sections_fetched}}, 'secret', {expiresIn : '24h'}, process.env.JWT_TOKEN_SECRET);
于 2021-01-25T10:34:47.320 回答
0

发送不记名令牌,您的中间件应该像这样

require('dotenv')
const jwt = require('jsonwebtoken');

module.exports = (req, res, next) => {
  try {
    const token = req.headers.authorization.split(' ')[1]; // Authorization: 'Bearer TOKEN'
    if (!token) {
      throw new Error('Authentication failed!');
    }
    const verified = jwt.verify(token, process.env.JWT_TOKEN_SECRET);
    req.user = verified;  
    next();
  } catch (err) {
    res.status(400).send('Invalid token !');
  }
};

在此处输入图像描述

于 2021-01-25T10:40:07.743 回答