请求未显示所有标头 node.js

huangapple go评论71阅读模式
英文:

request not showing all headers nodejs

问题

我正在使用Node.js和Express。我有一个中间件来检查通过请求标头发送的授权令牌。

以前,我是逐个在每个端点设置中间件的。一切都运行得很完美,请求中的标头被正确发送。我是用授权令牌进行授权的,所以在我的身份验证中间件中,我检查是否有一个"Authorization"标头。

现在我将中间件移到了server.js中,以包装所有路由,这样我就不必手动设置它。有一些路由是不受保护的,所以我使用"unless"函数将它们排除在中间件之外。

const unless = function(path, middleware) {
    return function(req, res, next) {
        let reqMethod = req.method;
        if(req.method == 'OPTIONS'){
            reqMethod = req.headers['access-control-request-method'];
        }
        if (path.find(({url,method,methods}) => url == req.path && (method==reqMethod || methods==reqMethod))) {
            next();
        } else {
            middleware(req, res, next);
        }
    };
};

app.use(schemaValidator,unless(publicPaths,auth),routes);

"unless"方法似乎与不受保护的路由一起工作得很好。现在的问题是,出于某种原因,我不能像以前那样获取请求标头。我没有获取到包含令牌的"Authorization"标头,而是获取到了这个:

"access-control-request-headers":"authorization"

如果我检查req.headers.authorization,它是未定义的。

附带说明:publicPaths是一个包含不受保护的端点的"URL"和"method"作为键的对象数组。

有人知道可能发生了什么吗?如果您需要更多信息,请告诉我!

英文:

I am using nodejs with express. I have a middleware to check the authorization token sent through the headers in the request.

Previously, I was setting the middleware in each endpoint, one by one. Everything worked perfectly, the headers were correctly sent in the request. I'm doing it with authorization bearer, so in my auth middleware, I check if there's an "Authorization" header.

Now I moved the middleware to the server.js, to wrap all the routes, so I don't have to set it manually. There are some routes that are unprotected so I am excluding them from the middleware with the "unless" function.

const unless = function(path, middleware) {
    return function(req, res, next) {
		let reqMethod = req.method;
		if(req.method == 'OPTIONS'){
			reqMethod = req.headers['access-control-request-method'];
		}
        if (path.find(({url,method,methods}) => url == req.path && (method==reqMethod || methods==reqMethod))) {
            next();
        } else {
            middleware(req, res, next);
        }
    };
};

app.use(schemaValidator,unless(publicPaths,auth),routes);

The "unless" method seems to work fine with the unprotected routes. The problem now is that, for some reason, I'm not getting the request headers as I used to. Instead of getting the "Authorization" header with the token, I'm just getting this:

"access-control-request-headers":"authorization".

And if I check for the req.headers.authorization it is undefined.

Side note: the publicPaths is an array of objects with the "URL" and "method" of the unprotected endpoints as the keys.

Does anyone know what might be happening? If you need any more information please tell me!

答案1

得分: 2

处理预检请求OPTIONS是一个完全独立的问题,与授权无关。

预检请求通常不会包含任何Authorisation头。我强烈建议在任何其他请求处理中间件之前注册使用行业标准的cors中间件

const cors = require("cors");
const corsOptions = {
  origin: ["https://example.com"],
};

const unless = function (path, middleware) {
  return function (req, res, next) {
    if (
      paths.some(
        ({ url, method, methods }) =>
          url === req.path && (method === req.method || methods === req.method)
      )
    ) {
      next();
    } else {
      middleware(req, res, next);
    }
  };
};

app.use(schemaValidator, cors(corsOptions), unless(publicPaths, auth), routes);

这将独立处理OPTIONS请求,使您的中间件可以处理实际请求。


由于Postman不受同源策略的限制,不会发送预检OPTIONS请求,因此您不会在Postman中看到任何问题。

英文:

Handling preflight OPTIONS requests is an entirely separate concern to authorisation.

Preflight requests typically will not have any Authorisation header present. I highly recommend using the industry standard cors middleware, registered before any other request handling middleware

const cors = require("cors");
const corsOptions = {
  origin: ["https://example.com"],
};

const unless = function (path, middleware) {
  return function (req, res, next) {
    if (
      paths.some(
        ({ url, method, methods }) =>
          url === req.path && (method === req.method || methods === req.method)
      )
    ) {
      next();
    } else {
      middleware(req, res, next);
    }
  };
};

app.use(schemaValidator, cors(corsOptions), unless(publicPaths, auth), routes);

This will take care of OPTIONS requests independently, leaving your middleware to work with actual requests.


You won't see any issues with Postman since it is not subject to the same-origin policy and will not send preflight OPTIONS requests.

huangapple
  • 本文由 发表于 2023年1月4日 06:08:23
  • 转载请务必保留本文链接:https://go.coder-hub.com/74999132.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定