请检查我的通过电子邮件和密码进行的验证?

huangapple go评论91阅读模式
英文:

please check my verification using email and password?

问题

I'll provide translations for the code you shared:

现在我正在尝试在我的类别控制器中检查用户是否已登录如果已登录则允许他发布类别否则显示您必须登录才能创建类别”,但不管用户是否已登录类别都会被发布这让我困扰了4个小时因为我还是初学者

这是问题所在的地方它绕过了

路由部分
routeCategory.post("/category", (req, res) => {
  if (!req.body || !req.body.category_id) {
    return res.status(400).send("类别丢失");
  }

  const id = req.body.category_id;
  const one = category.categoryData.find(
    (Element) => Element.category_id === id
  );
  const email2 = req.params.email;
  const found = User.data.find((email) => email.email === email2);
  if (User.login(email2, req.body.password) == false) {
    return res.status(401).send("您未经授权");
  } else if (one) {
    return res.status(409).send("类别已存在");
  } else {
    const newCategory = {
      category_id: req.body.category_id,
      categoryName: req.body.categoryName,
    };

    category.createCategory(newCategory);
    return res.sendStatus(201);
  }
});

登录部分
static login = function (email, password) {
    // 检查数据数组中是否存在与输入的电子邮件和密码相同的用户
    // 如果是,则返回电子邮件

    const found = User.data.find((element) => {
      return element.email === email && element.password === password;
    });
    console.log(User.data);
    console.log(email, password);
    if (found) {
      return true;
    } else {
      return false;
    }
  };
}

只提供了代码的翻译部分,没有其他内容。

英文:

now im trying to check in my category controller if user logged in let him post category otherwise show him "You must be logged in to create a category" but the category is posted wether user is logged in or not logged in it caused me frustration for 4 hours still beginner

this where the problem it bypass


routeCategory.post("/category", (req, res) => {
if (!req.body || !req.body.category_id) {
return res.status(400).send("category missing");
}
const id = req.body.category_id;
const one = category.categoryData.find(
(Element) => Element.category_id === id
);
const email2 = req.params.email;
const found = User.data.find((email) => email.email === email2);
if (User.login(email2, req.body.password) == false) {
return res.status(401).send("You are not authorized");
} else if (one) {
return res.status(409).send("Category already exists");
} else {
const newCategory = {
category_id: req.body.category_id,
categoryName: req.body.categoryName,
};
category.createCategory(newCategory);
return res.sendStatus(201);
}
});

static login = function (email, password) {
// checking if the email and password are in the data array
// then the email and password must be the same as the user entered it
// return email if it's right
// const found = User.data.find(
//   (element) => element.email === email && element.password === password
// );
const found = User.data.find((element) => {
return element.email === email && element.password === password;
});
console.log(User.data);
console.log(email, password);
if (found) {
return true;
} else {
return false;
}
};
}

答案1

得分: 0

控制访问应该通过单独的中间件来完成:

const checkAccess = (req, res, next) => {
  // 获取用户并检查要求
  if (/* 用户可以访问路由 */) {
    next()
  } else {
    next(new Error("无访问权限"))
  }
}

routeCategory.post("/category", checkAccess, (req, res) => {
  if (!req.body || !req.body.category_id) {
  ....

此外,应该以一种无法使用 === 进行检查的方式存储密码,可以使用 bcryptargon2 进行密码哈希化。

英文:

Controlling access like this should be done via a separate middleware:

const checkAccess = (req, res, next) => {
// fetch user and check requirements
if (/* user can access route*/) {
next()
} else {
next(new Error("No access"))
}
}
routeCategory.post("/category", checkAccess, (req, res) => {
if (!req.body || !req.body.category_id) {
....

Also you should be storing the password in a way that checking it with === isn't possible, use bcrypt or argon2 for password hashing.

huangapple
  • 本文由 发表于 2023年6月26日 23:17:20
  • 转载请务必保留本文链接:https://go.coder-hub.com/76558036.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定