JWT身份驗證和授權

Question

我正試圖找到一種方法來保護每個用戶資源與正確授權的其他用戶。因此，這是錯誤的流程：

正如你所看到的，愛麗絲有權JWT令牌和她是能夠得到約翰的信息，如果她（不知）設法得到約翰的ID。我想保護這一切......我該怎麼做？

這是我用於護照認證的代碼。一切工作正常，我只是想增加額外的安全層。

passportTest.js

'use strict'; 
// load environment variables 
require('dotenv').config(); 
/** 
*Module dependencies 
*/ 

const passport = require('passport'); 
const User = require('../models/user'); 
let jwt = require('jsonwebtoken'); 
/** 

*Configuration and Settings 
*/ 
const utilities = require('../models/utilities'); 

const errHandler = utilities.errHandler; 
const JwtStrategy = require('passport-jwt').Strategy; 
const ExtractJwt = require('passport-jwt').ExtractJwt; 
const LocalStrategy = require('passport-local').Strategy; 
const jwtOptions = { 
    // Telling Passport to check authorization headers for JWT 
    jwtFromRequest: ExtractJwt.fromAuthHeader(), 
    // Telling Passport where to find the secret 
    secretOrKey: process.env.SECRET 
}; 


// Configure Passport to use JWT strategy to look up Users. 
passport.use('jwt', new JwtStrategy(jwtOptions, function (jwt_payload, done) { 
    User.findById({ _id: jwt_payload._doc._id }, (err, user) => { 
    if (err) { 
     return done(err, false); 
    } 

    if (user) { 
     return done(null, user); 
    } else { 
     return done(null, false); 
    } 
    }) 
})); 


passport.use('local-login', new LocalStrategy({ 
    usernameField: 'email', 
    passwordField: 'password', 
    passReqToCallback: true 
}, 
    function (req, email, password, done) { 
    User.findOne({ email: email }, (err, user) => { 
     if (err) { 
     return errHandler(err); 
     } 

     if (!user) { 
     return done(null, false, { 
      errMsg: 'User does not exist, please' + 
      ' <a class="errMsg" href="/signup">signup</a>' 
     }); 
     } 

     if (!user.validPassword(password)) { 
     return done(null, false, { errMsg: 'Invalid password try again' }); 
     } 

     return done(null, user); 
    }); 

    })); 
/** 
*Export Module 
*/ 
module.exports = passport; 

Routes.js

'use strict'; 
// load environment variables 
require('dotenv').config(); 
/** 
*Module dependencies 
*/ 
const express = require('express'); 
const passport = require('../config/passport'); 
const authChecker = require('../config/authentication-checker'); 
const passportTest = require('../config/passport-jwt'); 
let jwt = require('jsonwebtoken'); 
const utilities = require('../models/utilities'); 
const userController = require('../controllers/user.controller'); 
const expressJwt = require('express-jwt'); 

//============================================================================== 
/** 
*Create router instance 
*/ 
var router = express.Router(); 
//============================================================================== 
/** 
*Module Variables 
*/ 
//needed to protect the '/dashboard' route 
function isLoggedIn(req, res, next) { 
    if (req.headers.authorization) { 
    passportTest.authenticate('jwt', { session: false }, (err, user) => { 
     if (err) { return res.status(401); } 

     if (user) { 
     req.user = user; 
     return next(); 
     } else { 
     return res.status(401); 
     } 
    })(req, res, next); 
    } else { 
    return res.redirect('/login'); 
    } 
} 
//============================================================================== 
/** 
*Middleware 
*/ 
router.use(passport.initialize()); 
router.use(passport.session()); 
// Authenticate the user and get a JSON Web Token to include in the header of future requests. 
router.route('/auth').post((req, res, next) => { 
    passportTest.authenticate('local-login', function (err, user, info) { 
    if (err) { 
     return next(err); // will generate a 500 error 
    } 
    if (!user) { 
     return res.status(409).render('pages/login', { errMsg: info.errMsg }); 
    } 
    req.login(user, function (err) { 
     if (err) { 
     console.error(err); 
     return res.status(409); 
     } 
     return res.status(200).json(generateToken(user)); 
    }); 
    })(req, res, next); 
} 
); 

// Example of required auth: protect dashboard route with JWT 
router.get('/secure', isLoggedIn, function (req, res) { 
    return res.send('It worked' + req.user); 
}); 
router.route('/signup') 
    .get(function (req, res) { 
    return res.render('pages/signup'); 
    }) 
    .post(function (req, res, next) { 
    passport.authenticate('local-signup', function (err, user, info) { 
     if (err) { 
     return next(err); // will generate a 500 error 
     } 
     if (!user) { 
     return res.status(409).render('pages/signup', { errMsg: info.errMsg }); 
     } 
     req.login(user, function (err) { 
     if (err) { 
      console.error(err); 
      return next(err); 
     } 
     return res.redirect('/dashboard'); 
     }); 
    })(req, res, next); 
    }); 
router.route('/api/users/id/:id').get(isLoggedIn, userController.getUserById) 

在此先感謝。

Answer 1

只需將userId添加到JWT聲明（有效內容）即可。那麼你總是可以檢查

if (claim.userId !== request.params.userId) { 
    res.status(403); 
    return next(); 
}