我正在尝试访问 Express 服务器上的端点,该端点具有仅 http 的 cookie,作为获取访问权限的身份验证舞蹈的一部分。
这里我们设置http only cookie:
res.cookie('jwt', refreshToken, { httpOnly: true, sameSite: 'none', secure: true, maxAge: 3 * 24 * 60 * 60 * 1000 });
return res.send({ accessToken, role: userModel.role, profileId: userModel.profile });
这是我正在尝试集成测试的端点:
router.delete('/auth/delete/:id', basicAuth, checkAccountId, mentors.deleteMentorProfile);
里面
basicAuthexport const basicAuth = passport.authenticate('jwt', { session: false, failWithError: true });我认为需要的是 httponly cookie 随请求一起发送到此端点。该行显示
passport.authenticate('jwt', ...)这是我的集成测试的代码:
const logInResponse = await api.post('/api/users/authenticate').send(userAcctCreationDetails);
const jwtForTest = logInResponse.body.accessToken;
const allMentors = await Mentor.find({});
const testAccountMentorId = allMentors.find((mentor) => mentor.email === userToDelete.email)?._id.toString();
// act
const cookies = logInResponse.headers['set-cookie'][0];
// console.log(cookies);
const deletedProfileResponse = await api
.delete('/api/mentor/auth/delete/' + testAccountMentorId)
.set('Authorization', 'Bearer ' + jwtForTest)
.set('jwt', cookies); // this fails!
行
console.log(cookies) jwt=eyJhbGciOi...-2n21vxTNPOlS94-YeFhSN7o; Max-Age=259200; Path=/; Expires=Thu, 15 Dec 2022 01:26:24 GMT; HttpOnly; Secure; SameSite=None我的同事告诉我“httponly 意味着客户端无法访问它”,但我至少可以将其发回吗?如果不通过 javascript,浏览器如何将其发回?