NodeJS express -如何在API请求中读取HttpOnly cookie?

l7mqbcuq  于 2023-04-05  发布在  Node.js
关注(0)|答案(2)|浏览(205)

当用户登录时,我在响应中发送回一个HttpOnly cookie。

然而,当我尝试读取cookie时,当我对API进行后续调用时,什么都没有
以下是我如何制作饼干的:

var signOptions = {
    expiresIn: '30d',
    algorithm: 'RS256'
  }
  var CurrentDate = new Date()
  CurrentDate.setMonth(CurrentDate.getMonth() + 1)
  var cookieOptions = {
    httpOnly: true,
    expires: CurrentDate
  }

  const token = jwt.sign({ _id: user._id },
    fs.readFileSync(path.resolve('routes/keys/private.key'), 'utf8'),
    signOptions)

  res.status(200).cookie('stickyAccessJwt', token, cookieOptions).send('well done')

路径('/test'):

const express = require('express')
const router = express.Router()
const { CheckAuthorisation } = require('./middleware/checkAuthorisation')

router.get('/', CheckAuthorisation, async (req, res) => {
  res.send(':)')
})

module.exports = router

中间件(401在这里到达):

let checkAuthorisation = (req, res, next) => {
  var userJWT = req.cookies.stickyAccessJwt
  if (!userJWT) {
    res.status(401).send('Invalid or missing authorization token')
  } else {
    // 2. There's a token; see if it is a valid one and retrieve the payload

    var verifyOptions = {
      expiresIn: '30d',
      algorithm: ['RS256']
    }

    const userJWTPayload = jwt.verify(
      userJWT,
      fs.readFileSync(path.resolve('routes/keys/private.key'), 'utf8'),
      verifyOptions)

    if (!userJWTPayload) {
      // Kill the token since it is invalid
      res.clearCookie('stickyAccessJwt')
      res.status(401).send('Kill the token since it is invalid')
    } else {
      // 3. There's a valid token...see if it is one we have in the db as a logged-in user
      User.findOne({ '_id': userJWTPayload._id })
        .then(function (user) {
          if (!user) {
            res.status(401).send('User not currently logged in')
          } else {
            console.log('Valid user:', user.email)
            next()
          }
        })
    }
  }
}

这是我的index.js

const Joi = require('joi')
Joi.objectId = require('joi-objectid')(Joi)
const bodyParser = require('body-parser')
const cors = require('cors')
const cookieParser = require('cookie-parser')
const mongoose = require('mongoose')
const express = require('express')
const app = express()
const register = require('./routes/register')
const login = require('./routes/login')
const test = require('./routes/test')

mongoose.connect('mongodb://localhost/stickywall', { useNewUrlParser: true })
  .then(() => console.log('Now connected to MongoDB!'))
  .catch(err => console.error('Something went wrong', err))
mongoose.set('useCreateIndex', true)

app.use(cors())
app.use(cookieParser())
app.use(express.json())
app.use(bodyParser.json())
app.use(bodyParser.urlencoded({ extended: true }))
app.use('/register', register)
app.use('/login', login)
app.use('/test', test)

const port = process.env.PORT || 4000
app.listen(port, () => console.log(`Listening on port ${port}...`))

我不明白为什么req.cookies是空的,是不是我遗漏了什么?

bjp0bcyl

bjp0bcyl1#

res.cookie([`JWT_TOKEN=Bearer ${token}; secure; httponly; 
  samesite=Strict;`,])

1.第一件事是安装cookie-parser库,这是一个中间件,所以Express可以管理cookie:
npm install cookie-parser
1.然后转到配置Express应用程序的位置,并添加Cookie解析器库作为中间件

const express = require('express');
const cookieParser = require('cookie-parser');
app.use(cookieParser());```

1.现在我们的Express应用程序可以为我们做所有的cookie解析工作了!
req.cookies.JWT_TOKEN
1.在前面,如果您使用axios,则必须始终在配置中设置“withCredentials:真的,”

const config = {
 headers: {
    'Content-Type': 'application/json',
   },
  withCredentials: true
}; 
          
    axios
      .post(
        'http://localhost:3008/api/auth/login',
        {
          username: target.username.value,
          password: target.password.value,
        },
        config
      )
      .then((data) => JSON.stringify(data, null, 2))
      .then((result) => console.log(result))
      .catch((err) => console.log('[Control Error ]', err))
  }

!!!HTTP cookie会在所有请求中自动发送到服务器。结束

o7jaxewo

o7jaxewo2#

const token = req.body.token ||
    req.query.token ||
    req.headers['x-access-token'] ||
    req.cookies.token;

if (!token) {
   res.sendStatus(401)
}

相关问题