FeathersJS身份验证停用用户

Question

我正在使用FeathersJS，并且对它提供的身份验证很满意。在这种情况下，它是本地JWT。客户端请求具有禁用某些功能的用户管理。在用户模型中有字段isDisabled，但很难确定应该在哪里执行检查以及如何设置它。

"@feathersjs/feathers": "^3.0.2", "@feathersjs/authentication": "^2.1.0", "@feathersjs/authentication-jwt": "^1.0.1", "@feathersjs/authentication-local": "^1.0.2",

Answer 1

这取决于您想要检查的位置。您可以在users服务上为get方法创建customize the JWT verifier或hook：

app.service('users').hooks({
  after: {
    get(context) {
      const user = context.result;

      if(user.isDisabled) {
        throw new Error('This user has been disabled');
      }
    }
  }
});

Answer 2

我直接在我的身份验证钩子中做到了这一点：

const { authenticate } = require('@feathersjs/authentication').hooks
const { NotAuthenticated } = require('@feathersjs/errors')

const verifyIdentity = authenticate('jwt')

function hasToken(hook) {
  if (hook.params.headers == undefined) return false
  if (hook.data.accessToken == undefined) return false
  return hook.params.headers.authorization || hook.data.accessToken
}

module.exports = async function authenticate(context) {
  try {
    await verifyIdentity(context)
  } catch (error) {
    if (error instanceof NotAuthenticated && !hasToken(context)) {
      return context
    }
  }
  if (context.params.user && context.params.user.disabled) {
    throw new Error('This user has been disabled')
  }
  return context
}

您可以看到，我确实检查了刚刚加载的用户记录，并抛出了一个错误，以防万一。当这个钩子在before:all中被调用时，用户在执行任何操作之前就被拒绝了。

Answer 3

至于羽毛4，你可以很容易地扩展你的身份验证策略。例如，如果我们希望用户只能登录并验证他们的JWT，我们可以在authentication.ts (Typescript)中执行以下操作：

import { Id, Query, ServiceAddons } from '@feathersjs/feathers';
import { AuthenticationService, JWTStrategy } from '@feathersjs/authentication';
import { LocalStrategy } from '@feathersjs/authentication-local';
import { expressOauth } from '@feathersjs/authentication-oauth';

import { Application } from './declarations';

declare module './declarations' {
  interface ServiceTypes {
    'authentication': AuthenticationService & ServiceAddons<any>;
  }
}

通过更改getEntityQuery将本地策略扩展到仅包含活动用户。

class CustomLocalStrategy extends LocalStrategy {
  async getEntityQuery(query: Query) {
    return {
      ...query,
      active: true,
      $limit: 1
    };
  }
}

通过更改getEntity()来扩展JWT策略，以便在用户不活动时返回null

class CustomJWTStrategy extends JWTStrategy {
  async getEntity(id: Id) {
    const entity = await this.entityService.get(id);

    if (!entity.active) {
      return null;
    }

    return entity;
  }
}

export default function(app: Application): void {
  const authentication = new AuthenticationService(app);

  authentication.register('jwt', new CustomJWTStrategy());
  authentication.register('local', new CustomLocalStrategy());

  app.use('/authentication', authentication);
  app.configure(expressOauth());
}