英文:
please check my verification using email and password?
问题
I'll provide translations for the code you shared:
现在我正在尝试在我的类别控制器中检查用户是否已登录,如果已登录,则允许他发布类别,否则显示“您必须登录才能创建类别”,但不管用户是否已登录,类别都会被发布,这让我困扰了4个小时,因为我还是初学者。
这是问题所在的地方,它绕过了:
路由部分:
routeCategory.post("/category", (req, res) => {
if (!req.body || !req.body.category_id) {
return res.status(400).send("类别丢失");
}
const id = req.body.category_id;
const one = category.categoryData.find(
(Element) => Element.category_id === id
);
const email2 = req.params.email;
const found = User.data.find((email) => email.email === email2);
if (User.login(email2, req.body.password) == false) {
return res.status(401).send("您未经授权");
} else if (one) {
return res.status(409).send("类别已存在");
} else {
const newCategory = {
category_id: req.body.category_id,
categoryName: req.body.categoryName,
};
category.createCategory(newCategory);
return res.sendStatus(201);
}
});
登录部分:
static login = function (email, password) {
// 检查数据数组中是否存在与输入的电子邮件和密码相同的用户
// 如果是,则返回电子邮件
const found = User.data.find((element) => {
return element.email === email && element.password === password;
});
console.log(User.data);
console.log(email, password);
if (found) {
return true;
} else {
return false;
}
};
}
只提供了代码的翻译部分,没有其他内容。
英文:
now im trying to check in my category controller if user logged in let him post category otherwise show him "You must be logged in to create a category" but the category is posted wether user is logged in or not logged in it caused me frustration for 4 hours still beginner
this where the problem it bypass
routeCategory.post("/category", (req, res) => {
if (!req.body || !req.body.category_id) {
return res.status(400).send("category missing");
}
const id = req.body.category_id;
const one = category.categoryData.find(
(Element) => Element.category_id === id
);
const email2 = req.params.email;
const found = User.data.find((email) => email.email === email2);
if (User.login(email2, req.body.password) == false) {
return res.status(401).send("You are not authorized");
} else if (one) {
return res.status(409).send("Category already exists");
} else {
const newCategory = {
category_id: req.body.category_id,
categoryName: req.body.categoryName,
};
category.createCategory(newCategory);
return res.sendStatus(201);
}
});
static login = function (email, password) {
// checking if the email and password are in the data array
// then the email and password must be the same as the user entered it
// return email if it's right
// const found = User.data.find(
// (element) => element.email === email && element.password === password
// );
const found = User.data.find((element) => {
return element.email === email && element.password === password;
});
console.log(User.data);
console.log(email, password);
if (found) {
return true;
} else {
return false;
}
};
}
答案1
得分: 0
控制访问应该通过单独的中间件来完成:
const checkAccess = (req, res, next) => {
// 获取用户并检查要求
if (/* 用户可以访问路由 */) {
next()
} else {
next(new Error("无访问权限"))
}
}
routeCategory.post("/category", checkAccess, (req, res) => {
if (!req.body || !req.body.category_id) {
....
此外,应该以一种无法使用 === 进行检查的方式存储密码,可以使用 bcrypt 或 argon2 进行密码哈希化。
英文:
Controlling access like this should be done via a separate middleware:
const checkAccess = (req, res, next) => {
// fetch user and check requirements
if (/* user can access route*/) {
next()
} else {
next(new Error("No access"))
}
}
routeCategory.post("/category", checkAccess, (req, res) => {
if (!req.body || !req.body.category_id) {
....
Also you should be storing the password in a way that checking it with === isn't possible, use bcrypt or argon2 for password hashing.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论