Q.Passport.js

Authentication middleware for Node.

Authenticating requests is as simple as calling passport.authenticate()

By default, if authentication fails, Passport will respond with a 401 Unauthorized status, and any additional route handlers will not be invoked. If authentication succeeds, the next handler will be invoked and the req.user property will be set to the authenticated user.

Configure
  1. Authentication strategies
  2. Application middleware
  3. Sessions (optional)

Q. Authentication strategies

define our local strategy

const passport = require('passport')
const LocalStrategy = require('passport-local').Strategy

var localStrategy = new LocalStrategy(

  function(username, password, done) {

    console.log("LocalStrategy -- username is [%s], password is [%s]", username, password);

    findUser(username, function (err, user) {

      //console.log("err  is [%s]", JSON.stringify(err));
      //console.log("user in table is [%s]", JSON.stringify(user));

      if(user == null) {
        return done( null, false, { message: 'Invalid user' } );
      };

      if(user.password !== password) {
        return done( null, false, { message: 'Invalid password' } );
      };

      return done( null, user );
    });
  }
);

Strategies, and their configuration, are supplied via the use() function

passport.use( 'local', localStrategy );

Verify callback done() function

Q. Application Middleware

// mount/initial passport middleware
app.use(passport.initialize());
app.use(passport.session());  // optional

Q. Sessions

In order to support login sessions, Passport will serialize and deserialize user instances to and from the session

passport.serializeUser(function(user, done) {
  done(null, user);
});

passport.deserializeUser(function(user, done) {
  done(null, user);
});
<以下是stack overflow上的解說>

<另一個文字流程的解說, 也滿詳細>

passport.serializeUser(function(user, done) {
    done(null, user.id);
                 |
});              | 
                 |
                 |____________________> saved to session req.session.passport.user = {id:'..'}
                                   |          
passport.deserializeUser(function(id, done) {
                  ________________|
                  | 
    User.findById(id, function(err, user) {
        done(err, user);
                   |______________>user object attaches to the request as req.user

 });

Q. connect-mongo

express-session

express-session 中介軟體會將階段作業資料儲存在伺服器上; 它只將階段作業 ID(而非階段作業資料)儲存在 Cookie 本身中. 依預設,express-session使用記憶體內儲存體,且並非設計成用於正式作業環境

MongoDB session store.

支援express-session的 mongodb session store

var session = require('express-session');
var MongoStore = require('connect-mongo')(session);

// 啟用 session, 設定 session store為 mongostore
app.use(session({
   store: new MongoStore({url: 'mongodb://localhost:27017/test'}), // session store 利用 connect-mongo
   secret : 'I am the king of my room', //任何128 bytes字串
   resave: true, 
   saveUninitialized: true,
   cookie: { maxAge: 30* 60 * 1000 } // 30分鐘到期
  })
);

results matching ""

    No results matching ""