我正在使用passport.js 和passport-local-mongoose。尝试登录时没有任何反应,也没有错误消息。但是,当注册一切正常时,新用户就会被添加到数据库中。
我也使用helmet.js 实现了一些安全标头。
app.use(
helmet.hsts({
maxAge: 63072000,
preload: true,
})
);
app.use(helmet.contentSecurityPolicy({
directives: {
connectSrc: ["'self'", 'https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js', 'https://cdn.jsdelivr.net/npm/bootstrap@5.1.0/dist/js/bootstrap.bundle.min.js'],
defaultSrc: ["'self'", 'https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js', 'https://cdn.jsdelivr.net/npm/bootstrap@5.1.0/dist/js/bootstrap.bundle.min.js'],
fontSrc: ["'self'"],
imgSrc: ["'self'", 'data:'],
scriptSrc: ["'self'", 'https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js', 'https://cdn.jsdelivr.net/npm/bootstrap@5.1.0/dist/js/bootstrap.bundle.min.js'],
styleSrc: ["'self'",'https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css'],
frameSrc: ["'self'", 'https://www.instagram.com/', 'https://www.facebook.com/']
},
reportOnly: false,
}));
app.use(
helmet.referrerPolicy({
policy: ["strict-origin-when-cross-origin"]
})
);
app.use(helmet.xssFilter());
app.use(helmet.noSniff());
app.use(
helmet.frameguard({
action: "deny",
})
);
app.use(bodyParser.urlencoded({extended: true}));
app.use(bodyParser.json());
app.use(express.static("public"));
app.use(session({
secret: process.env.COOKIE_SECRET,
resave: true,
httpOnly: false,
saveUninitialized: true,
cookie:{
secure: true
}
}));
app.use(passport.initialize());
app.use(passport.session());
passport.use(User.createStrategy());
passport.serializeUser(function(user, done) {
done(null, user.id);
});
passport.deserializeUser(function(id, done) {
User.findById(id, function(err, user) {
done(err, user);
});
});
我尝试在禁用所有标题的情况下登录,似乎没有用。
登录的发布路线:
app.post("/login", function(req, res){
User.findOne({username: req.body.username}, function(err, foundUser){
if(foundUser){
const user = new User({
username: req.body.username,
password: req.body.password
});
passport.authenticate("local", function(err, user){
if(err){
console.log(err);
}
else{
if(user){
req.login(user, function(err){
res.redirect("/favourite");
});
} else{
res.redirect("/login");
}
}
})(req, res);
} else{
res.redirect("/login")
}
});
});
登录.ejs
<form action="/login" method="POST">
<div class="form-group">
<label for="email">Email</label>
<input type="email" class="form-control" name="username">
</div>
<div class="form-group">
<label for="password">Password</label>
<input type="password" class="form-control" name="password">
</div>
<button type="submit" class="my-3 btn btn-dark">Log In</button>
</form>