时间戳

首页 > 解决方案 > 我设计用于在 nodejs 上生成 jwt 的 API 返回 config.data(包含用户提交数据,包括密码)。如何阻止它?

node.js - 我设计用于在 nodejs 上生成 jwt 的 API 返回 config.data(包含用户提交数据,包括密码)。如何阻止它?

问题描述

这是 app.js。这里的 api 端点是 http://localhost:3001/api/male/users/signup。这里我使用猫鼬,快递来设计后端。

const express = require("express");
const app = express();
const morgan = require("morgan");
const bodyParser = require("body-parser");
const mongoose = require("mongoose");

const maleproductRoutes = require('./api/routes/male/products');
const maleorderRoutes = require('./api/routes/male/orders');
const maleauthRoutes = require('./api/routes/male/users');

const femaleproductRoutes = require('./api/routes/female/products');
const femaleorderRoutes = require('./api/routes/female/orders');
const femaleauthRoutes = require('./api/routes/female/users');

mongoose.connect('mongodb+srv://'+process.env.MONGO_ATLAS_USER+':'+process.env.MONGO_ATLAS_PW+'@clusteretailor.extk1.mongodb.net/'+process.env.MONGO_ATLAS_DB+'?retryWrites=true&w=majority', { useNewUrlParser: true, useUnifiedTopology: true});
mongoose.set('useCreateIndex', true);
mongoose.Promise = global.Promise;

app.use(morgan("dev"));
app.use(bodyParser.urlencoded({ extended: false }));
app.use(bodyParser.json());

app.use((req, res, next) => {
  // res.header("Access-Control-Allow-Origin", "http://localhost:3000");
  res.header("Access-Control-Allow-Origin", "*");
  res.header(
    "Access-Control-Allow-Headers",
    "Origin, X-Requested-With, Content-Type, Accept, Authorization"
  );
  if (req.method === "OPTIONS") {
    res.header("Access-Control-Allow-Methods", "PUT, POST, PATCH, DELETE, GET");
    return res.status(200).json({});
  }
  next();
});

// Routes which should handle requests
app.use('/api/male/products', maleproductRoutes);
app.use('/api/male/orders', maleorderRoutes);
app.use('/api/male/users', maleauthRoutes);

app.use('/api/female/products', femaleproductRoutes);
app.use('/api/female/orders', femaleorderRoutes);
app.use('/api/female/users', femaleauthRoutes);

app.use((req, res, next) => {
  const error = new Error("Not found");
  error.status = 404;
  next(error);
});

app.use((error, req, res, next) => {
  res.status(error.status || 500);
  res.json({
    error: {
      message: error.message
    }
  });
});

module.exports = app;

这是端点的注册控制器。我在这里生成 JWT 并在正文中发送响应。但我没有提及有关提交数据的任何内容。我不知道为什么响应包含不必要的用户提交数据。

[const express = require("express");
const router = express.Router();
const mongoose = require("mongoose");
const bcrypt = require("bcrypt");
const jwt = require("jsonwebtoken");

const User = require("../../models/male/user");
router.post("/signup", (req, response, next) => {
  console.log(req.body);
  User.find({ email: req.body.email })
    .exec()
    .then(user => {
      if (user.length >= 1) {
        return response.status(409).json({
          message: "Mail exists"
        });
      } else {
        bcrypt.hash(req.body.password, 10, (err, hash) => {
          if (err) {
            return response.status(500).json({
              error: err
            });
          } else {
            const user = new User({
              _id: new mongoose.Types.ObjectId(),
              email: req.body.email,
              password: hash
            });
            user
              .save()
              .then(result => {

                const token = jwt.sign(
                  {
                    email: result.email,
                    userId: result._id
                  },
                  process.env.JWT_KEY,
                  {
                    expiresIn: "1h"
                  }
                );
                return response.status(201).json({
                  message: "Auth successful",
                  token: token
                });
              })
              .catch(err => {
                console.log(err);
                response.status(500).json({
                  error: err
                });
              });
          }
        });
      }
    });
});

router.post("/login", (req, res, next) => {
  User.find({ email: req.body.email })
    .exec()
    .then(user => {
      if (user.length < 1) {
        return res.status(401).json({
          message: "Auth failed"
        });
      }
      bcrypt.compare(req.body.password, user\[0\].password, (err, result) => {
        if (err) {
          return res.status(401).json({
            message: "Auth failed"
          });
        }
        if (result) {
          const token = jwt.sign(
            {
              email: user\[0\].email,
              userId: user\[0\]._id
            },
            process.env.JWT_KEY,
            {
              expiresIn: "1h"
            }
          );
          return res.status(200).json({
            message: "Auth successful",
            token: token
          });
        }
        res.status(401).json({
          message: "Auth failed"
        });
      });
    })
    .catch(err => {
      console.log(err);
      res.status(500).json({
        error: err
      });
    });
});

router.delete("/:userId", (req, res, next) => {
  User.remove({ _id: req.params.userId })
    .exec()
    .then(result => {
      res.status(200).json({
        message: "User deleted"
      });
    })
    .catch(err => {
      console.log(err);
      res.status(500).json({
        error: err
      });
    });
});

// get all male users
router.get("/", (req, res, next) => {
  User.find()
    .exec()
    .then(docs => {
      console.log(docs);
      //   if (docs.length >= 0) {
      res.status(200).json(docs);
      //   } else {
      //       res.status(404).json({
      //           message: 'No entries found'
      //       });
      //   }
    })
    .catch(err => {
      console.log(err);
      res.status(500).json({
        error: err
      });
    });
});

module.exports = router;

当我在前端的 api 的 console.log 响应时,它显示 config.data 如下。这是不必要的。只有我需要的是数据对象,而不是 config.data。

data: "{"email":"ggd@gmail.com","password":"dasdfdsvcsdv","gender":"male"}"

标签: node.jsreactjsapiexpressjwt

解决方案

推荐阅读