jsonwebtoken(jwt):
- express-jwt: 不太灵活
- jsonwebtoken
jsonwebtoken简单使用
- 加密 ```json const jwt = require(‘jsonwebtoken’); const secrect = ‘lantong’;
// 加密 const token = jwt.sign( // 这一部分为payload { id: 1, name: ‘蓝火之瞳’ }, secrect, // 秘钥,对称加密的秘钥 { expiresIn: 3600 // 过期时间秒为单位 } ) // console.log(token);
2. 解密
```json
// 解密
// const decode = jwt.decode(token); 不会对token进行验证
try {
const decode = jwt.verify(token, secrect); // 传入token和对称加密秘钥
console.log(decode)
} catch (error) {
console.log('token过期')
}
使用
jwt.verify(token, secrect);
来解密,如果token不合法,会直接报错
封装jwt工具
const jwt = require('jsonwebtoken');
const secrect = 'lantong';
const cookieKey = 'token';
exports.publish = function (res, maxAge = 3600 * 24, info = {},) { // res是请求的返回结果
const token = jwt.sign(
info,
secrect,
{
expiresIn: maxAge
}
)
// 添加到cookie
res.cookie(cookieKey, token, {
maxAge: maxAge * 1000, // cookie中是毫秒
path: '/'
});
// 添加到header
res.header('authorization', token)
}
exports.veryfy = function (req) {
let token = req.cookies.token || req.headers.authorization;
if (!token) {
return null;
}
// 验证beater token
const parts = token.split(' ');
token = parts.length === 1 ? parts[0] : parts[1];
try {
const decode = jwt.verify(token, secrect);
req.userId = decode.id;
return decode;
} catch (error) {
return false;
}
}
颁发jwt
const express = require('express');
const router = express.Router();
const { getResult } = require('./sendHelper');
const AdminService = require('../../services/adminService');
const crypter = require('../../util/crypt');
const JWT = require('../jwt')
router.get('/', (req, res, next) => {
const { loginName, loginPwd } = req.query;
AdminService.getAdminByLoginPwdAndLoginName(loginName, loginPwd).then(resp => {
// res.header("set-cookie", `token=${resp.id};domain=localhost;path=/;max-age=3600;`);
//1. 使用cookie和header做验证信息
// const value = crypter.encrypt(resp.id.toString());
// res.cookie('token', value, {
// path: '/',
// maxAge: 7 * 24 * 3600 * 1000, //此处是毫秒,
// // signed: true 不适用cookie-parser自动加密
// })
// res.header('Authorization', value)
//2. 使用session做验证信息
// req.session.loginUser = resp;
//3 使用jwt验证
console.log('resp', resp)
JWT.publish(res, 3600, { id: resp.id });
res.send(getResult(resp))
}).catch(err => next(err))
})
router.post('/', (req, res, next) => {
AdminService.addAdmin(req.body).then(resp => {
res.send(getResult(resp))
}).catch(err => next(err))
})
router.get('/whoami', (req, res, next) => {
AdminService.getAdminById(req.userId).then(resp => {
res.send(getResult(resp))
}).catch(err => next(err))
})
module.exports = router;
const { pathToRegexp } = require(‘path-to-regexp’); const ceyptor = require(‘../../util/crypt’) const jwt = require(‘../jwt’) const needTokenApi = [ { method: ‘POST’, path: ‘/api/student’ }, { method: ‘PUT’, path: ‘/api/student/:id’ }, { method: ‘GET’, path: ‘/api/admin/whoami’ } ] module.exports = function (req, res, next) { const apis = needTokenApi.filter(api => { return api.method === req.method && pathToRegexp(api.path).test(req.path); }) if (apis.length === 0) { next(); return; } //1. 使用cookie和header验证身份 // let token = req.cookies.token || req.headers.Authorization; //未加密 // console.log(‘req.cookies.token’, ceyptor.decrypt(req.cookies.token)) // 解密token // // let token = req.signedCookies.token || req.headers.Authorization; 不使用,因为自动加密,header无法加密 // if (!token) { // throw Error(‘you have not access the api’); // } //2. 使用session验证身份 // console.log(req.session); // if (req.session.loginUser) { // next(); // } else { // throw Error(‘you have not access the api’); // } //3. jwt const result = jwt.veryfy(req); if (result) { next(); } else { throw Error(‘you have not access the api’); } }
1. 引入const jwt = require('../jwt')
1. 认证:` const result = jwt.veryfy(req);`
<a name="P4TPa"></a>
## 添加whoami接口
1. 办法jtw的时候,将用户的id放进req中
```json
JWT.publish(res, 3600, { id: resp.id });
验证jwt通过,将用户的id添加到req对象的userId属性上
exports.veryfy = function (req) { let token = req.cookies.token || req.headers.authorization; if (!token) { return null; } // 验证beater token const parts = token.split(' '); token = parts.length === 1 ? parts[0] : parts[1]; try { const decode = jwt.verify(token, secrect); req.userId = decode.id; return decode; } catch (error) { return false; } }
在
/whoami
接口中,拿到req中的的userId属性的值做查询 ```json router.get(‘/whoami’, (req, res, next) => { AdminService.getAdminById(req.userId).then(resp => {res.send(getResult(resp))
}).catch(err => next(err)) })
```