I'm using passport to authenticate users at my site. Users can register orders, which have and foreignKey (ObjectId) to the User object.
我正在使用护照来验证我网站上的用户。用户可以将具有和foreignKey(ObjectId)的订单注册到User对象。
Example-objects (written as mongoose schemas):
示例对象(写为mongoose模式):
var orderSchema = new mongoose.Schema({
...
address: String,
_userID: {type: mongoose.Schema.Types.ObjectId, required: true, ref: 'User'}
});
var userSchema = new mongoose.Schema({
email: String,
});
Mongoose will create the primary key for each object.
Mongoose将为每个对象创建主键。
My question is; is it enough to check if req.user._id === order._userID? Or can the req.user object be tampered with? Can I trust that req.user._id is the id of the logged in user?
我的问题是;是否足以检查req.user._id === order._userID?或者req.user对象可以被篡改?我可以相信req.user._id是登录用户的ID吗?
I've found a couple of good resources, but it's not exactly what I'm asking of.
我找到了一些很好的资源,但这并不是我所要求的。
- http://toon.io/articles/understanding-passportjs-authentication-flow/
- http://toon.io/articles/understanding-passportjs-authentication-flow/
- http://passportjs.org/guide/authenticate/
- http://passportjs.org/guide/authenticate/
1 个解决方案
#1
3
So the question:
所以问题是:
can the req.user object be tampered with?
req.user对象可以被篡改吗?
Is difficult to answer, since you could have code within your application that will have access to your request object, and within it, modify the user. It's important to understand what code you have running within the flow of each request for anyone really, but especially those concerned about the security of their application. With that said, I can at least point you to where in the code this is established, and you can trace it with a debugger to assure yourself of the flow.
很难回答,因为您可以在应用程序中拥有可以访问请求对象的代码,并在其中修改用户。重要的是要了解您在每个请求的流程中运行的代码是否真的,尤其是那些关心其应用程序安全性的代码。话虽如此,我至少可以指出您在代码中建立的位置,并且您可以使用调试器跟踪它以确保自己的流程。
As you've mentioned, the passport documentation discusses authentication configuration options in their guide, and by default will process "logging in" the user when your strategy dictates successful authentication. You can provide a custom callback (mentioned in the referenced documentation above) to process this as well. In the end, it's important that req.logIn is called (which is done by default without any custom callbacks provided). Here's a link to the source. (Passport extends the request object via this code to provide helper functions which it later uses.)
正如您所提到的,护照文档在其指南中讨论了身份验证配置选项,默认情况下,当您的策略指示成功进行身份验证时,将处理“登录”用户。您可以提供自定义回调(在上面引用的文档中提到)来处理它。最后,重要的是调用req.logIn(默认情况下完成,不提供任何自定义回调)。这是源的链接。 (Passport通过此代码扩展请求对象,以提供稍后使用的辅助函数。)
The specific line you maybe interested in is here, which assigns to the req object the property user with a value of the authenticated user:
您可能感兴趣的具体行在这里,它将属性用户分配给req对象,其值为经过身份验证的用户:
this[property] = user;
From there on, you have access to the logged in user under req.user, and their ID under req.user.id. Again note that this logIn function should only be called when the passport strategy states that successful authentication has occurred. But in this way, passport has provided you with a way of easily authenticating the user, and then getting access to this user via the request object.
从那里开始,您可以访问req.user下的登录用户,以及req.user.id下的ID。再次注意,只有在护照策略表明已成功进行身份验证时才应调用此logIn函数。但通过这种方式,护照为您提供了一种轻松验证用户身份的方法,然后通过请求对象访问此用户。
#1
3
So the question:
所以问题是:
can the req.user object be tampered with?
req.user对象可以被篡改吗?
Is difficult to answer, since you could have code within your application that will have access to your request object, and within it, modify the user. It's important to understand what code you have running within the flow of each request for anyone really, but especially those concerned about the security of their application. With that said, I can at least point you to where in the code this is established, and you can trace it with a debugger to assure yourself of the flow.
很难回答,因为您可以在应用程序中拥有可以访问请求对象的代码,并在其中修改用户。重要的是要了解您在每个请求的流程中运行的代码是否真的,尤其是那些关心其应用程序安全性的代码。话虽如此,我至少可以指出您在代码中建立的位置,并且您可以使用调试器跟踪它以确保自己的流程。
As you've mentioned, the passport documentation discusses authentication configuration options in their guide, and by default will process "logging in" the user when your strategy dictates successful authentication. You can provide a custom callback (mentioned in the referenced documentation above) to process this as well. In the end, it's important that req.logIn is called (which is done by default without any custom callbacks provided). Here's a link to the source. (Passport extends the request object via this code to provide helper functions which it later uses.)
正如您所提到的,护照文档在其指南中讨论了身份验证配置选项,默认情况下,当您的策略指示成功进行身份验证时,将处理“登录”用户。您可以提供自定义回调(在上面引用的文档中提到)来处理它。最后,重要的是调用req.logIn(默认情况下完成,不提供任何自定义回调)。这是源的链接。 (Passport通过此代码扩展请求对象,以提供稍后使用的辅助函数。)
The specific line you maybe interested in is here, which assigns to the req object the property user with a value of the authenticated user:
您可能感兴趣的具体行在这里,它将属性用户分配给req对象,其值为经过身份验证的用户:
this[property] = user;
From there on, you have access to the logged in user under req.user, and their ID under req.user.id. Again note that this logIn function should only be called when the passport strategy states that successful authentication has occurred. But in this way, passport has provided you with a way of easily authenticating the user, and then getting access to this user via the request object.
从那里开始,您可以访问req.user下的登录用户,以及req.user.id下的ID。再次注意,只有在护照策略表明已成功进行身份验证时才应调用此logIn函数。但通过这种方式,护照为您提供了一种轻松验证用户身份的方法,然后通过请求对象访问此用户。