node.js - 我设计用于在 nodejs 上生成 jwt 的 API 返回 config.data(包含用户提交数据,包括密码)。如何阻止它?
问题描述
这是 app.js。这里的 api 端点是 http://localhost:3001/api/male/users/signup。这里我使用猫鼬,快递来设计后端。
const express = require("express");
const app = express();
const morgan = require("morgan");
const bodyParser = require("body-parser");
const mongoose = require("mongoose");
const maleproductRoutes = require('./api/routes/male/products');
const maleorderRoutes = require('./api/routes/male/orders');
const maleauthRoutes = require('./api/routes/male/users');
const femaleproductRoutes = require('./api/routes/female/products');
const femaleorderRoutes = require('./api/routes/female/orders');
const femaleauthRoutes = require('./api/routes/female/users');
mongoose.connect('mongodb+srv://'+process.env.MONGO_ATLAS_USER+':'+process.env.MONGO_ATLAS_PW+'@clusteretailor.extk1.mongodb.net/'+process.env.MONGO_ATLAS_DB+'?retryWrites=true&w=majority', { useNewUrlParser: true, useUnifiedTopology: true});
mongoose.set('useCreateIndex', true);
mongoose.Promise = global.Promise;
app.use(morgan("dev"));
app.use(bodyParser.urlencoded({ extended: false }));
app.use(bodyParser.json());
app.use((req, res, next) => {
// res.header("Access-Control-Allow-Origin", "http://localhost:3000");
res.header("Access-Control-Allow-Origin", "*");
res.header(
"Access-Control-Allow-Headers",
"Origin, X-Requested-With, Content-Type, Accept, Authorization"
);
if (req.method === "OPTIONS") {
res.header("Access-Control-Allow-Methods", "PUT, POST, PATCH, DELETE, GET");
return res.status(200).json({});
}
next();
});
// Routes which should handle requests
app.use('/api/male/products', maleproductRoutes);
app.use('/api/male/orders', maleorderRoutes);
app.use('/api/male/users', maleauthRoutes);
app.use('/api/female/products', femaleproductRoutes);
app.use('/api/female/orders', femaleorderRoutes);
app.use('/api/female/users', femaleauthRoutes);
app.use((req, res, next) => {
const error = new Error("Not found");
error.status = 404;
next(error);
});
app.use((error, req, res, next) => {
res.status(error.status || 500);
res.json({
error: {
message: error.message
}
});
});
module.exports = app;
这是端点的注册控制器。我在这里生成 JWT 并在正文中发送响应。但我没有提及有关提交数据的任何内容。我不知道为什么响应包含不必要的用户提交数据。
[const express = require("express");
const router = express.Router();
const mongoose = require("mongoose");
const bcrypt = require("bcrypt");
const jwt = require("jsonwebtoken");
const User = require("../../models/male/user");
router.post("/signup", (req, response, next) => {
console.log(req.body);
User.find({ email: req.body.email })
.exec()
.then(user => {
if (user.length >= 1) {
return response.status(409).json({
message: "Mail exists"
});
} else {
bcrypt.hash(req.body.password, 10, (err, hash) => {
if (err) {
return response.status(500).json({
error: err
});
} else {
const user = new User({
_id: new mongoose.Types.ObjectId(),
email: req.body.email,
password: hash
});
user
.save()
.then(result => {
const token = jwt.sign(
{
email: result.email,
userId: result._id
},
process.env.JWT_KEY,
{
expiresIn: "1h"
}
);
return response.status(201).json({
message: "Auth successful",
token: token
});
})
.catch(err => {
console.log(err);
response.status(500).json({
error: err
});
});
}
});
}
});
});
router.post("/login", (req, res, next) => {
User.find({ email: req.body.email })
.exec()
.then(user => {
if (user.length < 1) {
return res.status(401).json({
message: "Auth failed"
});
}
bcrypt.compare(req.body.password, user\[0\].password, (err, result) => {
if (err) {
return res.status(401).json({
message: "Auth failed"
});
}
if (result) {
const token = jwt.sign(
{
email: user\[0\].email,
userId: user\[0\]._id
},
process.env.JWT_KEY,
{
expiresIn: "1h"
}
);
return res.status(200).json({
message: "Auth successful",
token: token
});
}
res.status(401).json({
message: "Auth failed"
});
});
})
.catch(err => {
console.log(err);
res.status(500).json({
error: err
});
});
});
router.delete("/:userId", (req, res, next) => {
User.remove({ _id: req.params.userId })
.exec()
.then(result => {
res.status(200).json({
message: "User deleted"
});
})
.catch(err => {
console.log(err);
res.status(500).json({
error: err
});
});
});
// get all male users
router.get("/", (req, res, next) => {
User.find()
.exec()
.then(docs => {
console.log(docs);
// if (docs.length >= 0) {
res.status(200).json(docs);
// } else {
// res.status(404).json({
// message: 'No entries found'
// });
// }
})
.catch(err => {
console.log(err);
res.status(500).json({
error: err
});
});
});
module.exports = router;
当我在前端的 api 的 console.log 响应时,它显示 config.data 如下。这是不必要的。只有我需要的是数据对象,而不是 config.data。
data: "{"email":"ggd@gmail.com","password":"dasdfdsvcsdv","gender":"male"}"
解决方案
推荐阅读
- go - 如何在 fyne android 应用程序的深层链接中访问参数值?
- javascript - 尝试从 API 获取信息时出现 CORS 策略错误
- spring-boot - Zoom API 的 Spring Boot 身份验证令牌
- header - 表头和数据,都是粗体
- html - 我的元素在纵向平板电脑屏幕上消失了
- ubuntu-18.04 - 制作busybox时缺少头文件
- python - 在Python的Dataframe中转换没有分隔符的文本?
- django - 如何检查查询集中的查询集是否为空
- javascript - 具有异步方法的抽象基类,有时可以同步
- f# - F# 中的内联关键字问题