Node.js learning notes [VII]

node.js node js learning notes


Session brief introduction

Session It is a very important and popular User authentication And to grant authorization The way .

authentication : Let the server know who you are

to grant authorization : Let the server know what you can and can't do

Session The advantages of

  • comparison JWT, The biggest advantage is that you can take the initiative to remove session 了 ( because session It is saved on the server , The server can actively clear ;JWT In order to Token The form is saved on the client , As long as it doesn't expire , The client can always hold Token To authenticate and authorize users )
  • session Save on the server side , Relatively safe
  • combination cookie Use , More flexible , Good compatibility

session The disadvantages of

  • cookie+session stay Cross domain The scene didn't perform well (cookie Non cross domain )
  • If distributed deployment , Need to do Multi machine sharing session Mechanism
  • be based on cookie It's easy to be CSRFCSRF yes Cross-site request forgery , An attack , It can use your cookie The attack )
  • Inquire about session Information may have database query operations ( Want to get the complete session Information needs to be taken session_id To query the database , Query requires time and computing power , This will cause some performance problems .)

Session Related concepts

  • session: It is mainly stored in Server side , A relatively safe
  • cookie: It is mainly stored in client , And it's not very safe
  • sessionStorage: Valid only in current session , Cleared after closing page or browser
  • localstorage: Unless removed , Otherwise permanent

JWT brief introduction

What is? JWT?

  • JSON Web Token It's an open standard (RFC 7519)
  • A compact and independent approach is defined , Information between the parties can be used as JSON Object for secure transfer
  • This information can be verified and trusted , Because it's digitally signed

JWT The composition of the

  • Head (Header)
  • Payload (Payload)
  • Signature (Signature)

JWT It's divided into three parts , Each part is separated by black dots



Header The essence is a JSON, This JSON There are 2 A field

  • typ:token The type of , There are fixed JWT
  • alg: The use of hash Algorithm , for example :HMAC SHA256 perhaps RSA

Header Before and after coding

  • {“alg”:“HS256”,"typ":"JWT"}
  • After coding is a paragraph Base64 character string


  • Store the information that needs to be transmitted , Such as user ID、 User name, etc
  • It also contains metadata , Such as expiration date 、 Publisher, etc
  • And Header Different ,Playload Can encrypt

Playload Before and after coding

  • {“user_id”:"xiaofengche"}
  • After coding is a paragraph Base64 character string


  • Yes Header and Payload Part to sign
  • Guarantee Token It has not been tampered with or damaged during transmission

Signature Algorithm

Signature = HMACSHA256(base64UrlEncode(header)+"."+base64UrlEncode(payload),secret)

After generating the signature, you still need to Base64 code

JWT working principle

client ( browser ) adopt POST request Pass the user name and password to the server , The server checks the user name and password , After successful verification, the user will be ID And other information as JWT Of Payload , Compare it with the head base64 code And then form a JWT, Then the back end returns that string to the front end as the return result of the login success request , Then the front end saves it in localStorage perhaps sessionStorage in .

After that, every request from the front end will send JWT String as Http Inside the head Authorization( authentication ), And send it to the back end , The backend checks whether it exists , If present, verify JWT Validity of string ( For example, whether the signature is correct , Whether the token has expired, etc ).

After the verification is passed , The back end uses JWT Perform other business logic on the user information contained in and return the corresponding results .




JWT vs. Session

  • Extensibility

JWT Seamless access Horizontal expansion , Because it is based on Token( token ) Your authentication is No state Of , So there's no need to session Store user information in , Applications can be easily expanded , have access to Token Access resources from different servers , Don't worry about whether the user really logs in to a server .

  • Security

Both will be attacked .

  • RESTful API

RESTful The required procedure is No state Of , image session This is a A stateful Method of authentication , Obviously you can't do RESTful API Of .

  • performance

When the client sends a request to the server , There may be a lot of user information in JWT in , Every Http request Will incur a lot of overhead ; If you use session If so, just a small amount of expenses , because session_id A very small ,JWT May be several times its size .

however session_id There are also shortcomings. , Searching for complete information requires session_id, This is also a performance drain ;JWT The string contains complete information ,JWT You don't need a database query , Less performance consumption ,JWT Equivalent to exchanging time with space

  • timeliness

JWT The timeliness of is better than session almost . because JWT Only wait until the expiration time to destroy , Can't update in real time ,session It can be actively and manually destroyed on the server .

stay Node.js Use in JWT

  • install jsonwebtoken

npm i jsonwebtoken

  • Signature

Enter at terminal node Command line , introduce jwt


Use sign Signature method , Its first parameter is JSON object , The second parameter can write the key

> token = jwt.sign({name:"xiaofengche"},'secret');

Get token Then it can be passed to the client , The client can hold this every request token Put it on the head and send it back to the server , The server gets token Then you can judge who the current user is , What authority do you have .

  • verification

Use decode decode You can judge who the user is

> jwt.decode(token);
{ name: 'xiaofengche', iat: 1628406331 }

there iat It refers to the time at the time of signature , The unit is seconds

need verification Whether the user information has been tampered with ,verify The second parameter is the key to be encrypted

> jwt.verify(token,'secret');
{ name: 'xiaofengche', iat: 1628406331 }

prove token It's legal. , The signature is also legal

Implement user registration

  • Design users Schema

Need to redesign Schema, Add the password field .

const mongoose = require('mongoose');
//mongoose Provided Schema Class to generate documents Schema
const { Schema,model } = mongoose

const userSchema = new Schema({
// Hide useless information
//required Indicates that this attribute is required
//default Default values can be set
// Sensitive information like passwords should not be exposed casually , It needs to be hidden ——select:false

// Build a model
//User: Name the document collection
module.exports = model('User',userSchema);

Add the definition of the new field in the relevant operation

// Create user
async create(ctx){
// Verify the of the request body name Bit string type and is required
// Mandatory :required Delete also defaults to true
name:{ type:'string',required:true },
const user = await new User(ctx.request.body).save();
ctx.body = user;
// Update user
async update(ctx){
// Mandatory :required Delete also defaults to true
name:{ type:'string',required:false },
const user = await User.findByIdAndUpdate(,ctx.request.body);
if(!user){ctx.throw(404,' The user doesn't exist ');}
ctx.body = user;


Due to the modification of user attributes, you can partially modify , Therefore, you need to modify the request method for changing the route

//put It's a whole replacement , Now users can update some properties
  • Write logic to ensure uniqueness ( User uniqueness )

When creating a user, write logic to ensure uniqueness , Ensure that the user name does not duplicate when creating

// Update user
async update(ctx){
// Mandatory :required Delete also defaults to true
name:{ type:'string',required:false },
// Get the user name in the request body
const {name} = ctx.request.body
// findOne Return the first qualified user
const repreatedUser = await User.findOne({name});
// If there are duplicate users, return 409 The status code represents a conflict
ctx.throw(409," The user name is already in use ");
const user = await User.findByIdAndUpdate(,ctx.request.body);
if(!user){ctx.throw(404,' The user doesn't exist ');}
ctx.body = user;



Log in and get token

  • Login interface design

The action of login does not belong to any kind of user addition, deletion, modification and query , Can imitate github use POST+ Verb form

  • use jsonwebtoken Generate token

First, in the config.js Configure key


stay users.js introduce jsonwebtoken And the key , Then implement the login interface

const jsonwebtoken = require('jsonwebtoken');
const {secret} = require('../config');

// Sign in
async login(ctx){
// There are two cases of login : The user name does not exist or the password is wrong , Login failed ; Login successful
// Find the first user who meets the criteria
const user = await User.findOne(ctx.request.body);
if(!user){ctx.throw(401,' Username or password incorrect ');}
// obtain id and name
const {_id,name} = user;
// Login successfully generated token, The parameters are user insensitive information , Signature key , Expiration time
//1d: One day
const token = jsonwebtoken.sign({_id,name},secret,{expiresIn:'1d'});
ctx.body = {token};

Finally, don't forget to be here routes->users.js Registered interface

//delete Is the key word , Take the alias
const {find,findById,create,update,delete:del,login} = require('../controllers/users');'/login',login)

Effect demonstration :

jwt Login interface


Write your own Koa Middleware realizes user authentication and authorization

  • authentication : verification token, And get the user information

stay routes->users.js Write authentication middleware .

Suppose the client is through Authorization Field add Bearer Space +token This form puts token incoming , We know how to get token 了

const jsonwebtoken = require('jsonwebtoken');

const {secret} = require('../config');

const auth = async(ctx,next) => {
// When not set authorization Set it to an empty string
const {authorization = ''} = ctx.request.header;
// Get rid of 'Bearer ' That's what we really want token
const token = authorization.replace('Bearer ','');
// Verify user information
const user = jsonwebtoken.verify(token,secret);
ctx.state.user = user;
// All validation failures are manually thrown into 401 error , That is, not certified
await next();

Finally, put the middleware on the interface that needs authentication

router.patch('/:id', auth,update);


  • to grant authorization : Use middleware to protect the interface

stay users.js Write authentication Middleware in the controller ( It can also be in... Like above routes->users.js Inside )

 async checkOwner(ctx,next){
// Judge the current modified or deleted user id Is it the name of the currently logged in user id
if( !== ctx.status._id){
// The object of the operation does not throw an error itself
ctx.throw(403,' No authority ')
await next();

Finally, add the middleware to the interface that needs authentication

const {find,findById,create,update,delete:del,login,checkOwner} = require('../controllers/users');

router.patch('/:id', auth,checkOwner,update);


use koa-jwt Middleware realizes user authentication and authorization

  • install koa-jwt:npm i koa-jwt --save

This is a third-party middleware , Powerful . With this middleware , We don't need to write our own middleware .

  • Use middleware to protect the interface

Introduce middleware , Only one line of code can replace the authentication middleware written by yourself .

const jwt = require('koa-jwt');
const auth = jwt({ secret });
  • Use middleware to obtain user information

koa-jwt Also store user information in ctx.state.user On , The custom authorization middleware can still be used normally .


本文为[The little windmill squeaked and turned]所创,转载请带上原文链接,感谢

  1. HTML + CSS + JavaScript to achieve cool Fireworks (cloud like particle text 3D opening)
  2. HTML + CSS + JavaScript realizes 520 advertising love tree (including music), which is necessary for programmers to express themselves
  3. Solve the problem of Web front-end deployment server (it can be deployed online without a server)
  4. HTML + CSS + JS make wedding countdown web page template (520 / Tanabata Valentine's Day / programmer advertisement)
  5. What else can driverless minibus do besides "Park connection"?
  6. Cloud native leads the era of all cloud development
  7. NRM mirror source management tool
  8. Bring it to you, flex Jiugong
  9. Lolstyle UI component development practice (II) -- button group component
  10. Deconstruction assignment in ES6
  11. Luo 2 peerless Tang clan was officially launched. The official gave a key point, and the broadcast time was implied
  12. 20初识前端HTML(1)
  13. 当新零售遇上 Serverless
  14. 20 initial knowledge of front-end HTML (1)
  15. When new retail meets serverless
  16. [golang] - go into go language lesson 5 type conversion
  17. [golang] - go into go language lesson 6 conditional expression
  18. HTML5(八)——SVG 之 path 详解
  19. HTML5 (8) -- detailed explanation of SVG path
  20. 需要开通VIP以后页面内容才能复制怎么办?控制台禁用javascript即可
  21. Web前端|CSS入门教程(超详细的CSS使用讲解,适合前端初学者)
  22. 实践积累 —— 用Vue3简单写一个单行横向滚动组件
  23. Serverless 全能选手,再下一城
  24. What if you need to open a VIP to copy the page content? Just disable JavaScript on the console
  25. Web front end | CSS introductory tutorial (super detailed CSS explanation, suitable for front-end beginners)
  26. Practice accumulation - write a single line horizontal scroll component simply with vue3
  27. Dili Reba is thin again. She looks elegant and high in a strapless hollow skirt, and her "palm waist" is beautiful to a new height
  28. Serverless all-round player, next city
  29. The difference between MySQL semi synchronous replication and lossless semi synchronous replication
  30. Vue表单设计器的终极解决方案
  31. The ultimate solution for Vue form designer
  32. Nginx从理论到实践超详细笔记
  33. Yu Shuxin's red backless swimsuit is split to the waist and tail, with a concave convex figure and excessive color matching, and his face is white to dazzling
  34. Nginx ultra detailed notes from theory to practice
  35. 【动画消消乐|CSS】086.炫酷水波浪Loading过渡动画
  36. typecho全站启用https
  37. CCTV has another popular employee. The off-site interpretation is very professional, and the appearance ability is no less than that of Wang Bingbing
  38. [animation Xiaole | CSS] 086. Cool water wave loading transition animation
  39. Enable HTTPS in Typecho
  40. 50天用JavaScript完成50个web项目,我学到了什么?
  41. 根据JavaScript中原生的XMLHttpRequest实现jQuery的Ajax
  42. What have I learned from completing 50 web projects with JavaScript in 50 days?
  43. "My neighbor doesn't grow up" has hit the whole network. There are countless horse music circles, and actor Zhou Xiaochuan has successfully made a circle
  44. 根据JavaScript中原生的XMLHttpRequest实现jQuery的Ajax
  45. Implement the Ajax of jQuery according to the native XMLHttpRequest in JavaScript
  46. Implement the Ajax of jQuery according to the native XMLHttpRequest in JavaScript
  47. 30 + women still wear less T-shirts and jeans. If they wear them like stars, they will lose weight
  48. 数栈技术分享前端篇:TS,看你哪里逃~
  49. Several stack technology sharing front end: TS, see where you escape~
  50. 舍弃Kong和Nginx,Apache APISIX 在趣链科技 BaaS 平台的落地实践
  51. Abandon the landing practice of Kong and nginx, Apache apisik on the baas platform of fun chain technology
  52. 浪迹天涯king教你用elementui做复杂的表格,去处理报表数据(合并表头,合并表体行和列)
  53. 前端HTML两万字图文大总结,快来看看你会多少!【️熬夜整理&建议收藏️】
  54. Wandering around the world king teaches you to use elementui to make complex tables and process report data (merge header, merge table body rows and columns)
  55. 路由刷新数据丢失 - vuex数据读取的问题
  56. Front end HTML 20000 word graphic summary, come and see how much you can【 Stay up late to sort out & suggestions]
  57. Route refresh data loss - vuex data reading problem
  58. Systemctl系统启动Nginx服务脚本
  59. Systemctl system startup nginx service script
  60. sleepless