拦截需要权限的请求
解析验证携带的jwt
对比权限 通过 执行 next()
不通过 提示权限不足
请求路径
const PATHS = {
getImage: "/getImage/*",
// pokers path
getPokers: "/getPokers",
createNewPoker: '/createNewPoker',
updatePoker: "/updatePoker",
deletePoker: "/deletePoker",
// auth path
getUserByToken: "/getUserByToken",
checkUsernameValid: "/checkUsernameValid",
login: "/login",
register: "/register",
}
const ROLE = { 0: "tourist", 1: "manager", 2: 'admin' }/*
key: 请求路径 PATHS 从中取
value: role级别即执行操作所需的最低权限
*/
const authorityRequest = { [PATHS.createNewPoker]: 1, [PATHS.updatePoker]: 1, [PATHS.deletePoker]: 1 }
app.all("*", async (req, res, next) => {
const { path, headers: { authorization } } = req;
const needAuth = Object.keys(authorityRequest).includes(path);
if (needAuth) {
const result = await validAuthorization(authorization, authorityRequest[path], res, path);
if (result) next();
} else next();
})validAuthorization()
const validAuthorization = async (authorization, role, res, path) => {
let result = undefined;
try {
result = await decrypt(authorization);
console.log("validAuthorization:", result);
if (!result.role || result.role < role) {
result = undefined;
console.log(`用户${result.username}执行${path}权限不足,当前权限:${result.role}`);
//401 unauthorized,表示发送的请求需要有通过 HTTP 认证的认证信息
res.status(401).send({ message: "权限不够,可联系管理员添加权限" })
}
} catch (error) {
console.error("decrypt filed:", error);
res.status(444).send({ message: "jwt错误 authorization验证失败" })
}
return result;
}decrypt()
const jwt = require('jsonwebtoken');
const decrypt = (token) => jwt.verify(token, secret)
