让我解释一下我的情况。我目前没有任何数据库。但我编写了一个简单的 server.js 文件,并向它发送了我的请求(我使用
node server.js
运行 server.js)。我想为我的项目实现用户登录功能。这是我的 server.js 源代码:
// Sample tokens for simplicity (use a library for real token generation)
const secretKey = 'yourSecretKey'; // Replace with a secure secret key
const accessTokenExpiration = '1h'; // Access token expiration time (e.g., 1 hour)
const refreshTokenExpiration = '7d'; // Refresh token expiration time (e.g., 7 days)
// Sample user data for authentication =================================================
const users = [
{ id: 1, username: '[email protected]', password: '123456' },
// Add more users as needed
];
// Sample tokens for simplicity (use a library for real token generation)
const accessToken = 'sampleAccessToken';
const refreshToken = 'sampleRefreshToken';
// Endpoint for user authentication
app.post('/auth/token', (req, res) => {
const { grant_type, client_id, client_secret, username, password, refresh_token } = req.body;
// Validate client_id and client_secret if needed
// Check if grant_type is 'password' for user login
if (grant_type === 'password') {
// Find the user based on the provided username and password
const user = users.find(u => u.username === username && u.password === password);
if (user) {
// Generate access token
const accessToken = jwt.sign({ userId: user.id, username: user.username }, secretKey, { expiresIn: accessTokenExpiration });
// Generate refresh token
const refreshToken = jwt.sign({ userId: user.id, username: user.username }, secretKey, { expiresIn: refreshTokenExpiration });
// Return tokens if user is found
res.json({
token_type: 'Bearer',
expires_in: accessTokenExpiration,
access_token: accessToken,
refresh_token: refreshToken,
});
} else {
// Return an error if user is not found
res.status(404).json({ error: 'Invalid credentials' });
}
} else if (grant_type === 'refresh_token') {
// Check if the provided refresh token is valid (use your logic for validation)
// For simplicity, let's assume all refresh tokens are valid
// Generate new access token
const newAccessToken = jwt.sign({ /* Include relevant user information */ }, secretKey, { expiresIn: accessTokenExpiration });
// Generate new refresh token
const newRefreshToken = jwt.sign({ /* Include relevant user information */ }, secretKey, { expiresIn: refreshTokenExpiration });
// Return new tokens
res.json({
token_type: 'Bearer',
expires_in: accessTokenExpiration,
access_token: newAccessToken,
refresh_token: newRefreshToken,
});
} else {
// Return an error for unsupported grant_type
res.status(400).json({ error: 'Unsupported grant_type' });
}
});
// Sample user data for registration
const registeredUsers = [];
// Endpoint for user registration
app.post('/user/register', (req, res) => {
const { email, password } = req.body;
// Check if the email is already registered
const existingUser = registeredUsers.find(u => u.email === email);
if (existingUser) {
return res.status(400).json({ error: 'Email already registered' });
}
// Register the new user
const newUser = { id: registeredUsers.length + 1, email, password };
registeredUsers.push(newUser);
// You might want to generate an access token for the registered user here
// Return a success message
res.json({ message: 'User registered successfully', user: newUser });
});
// Start the server
app.listen(PORT, () => {
console.log(`Server is running on http://localhost:${PORT}`);
});
如你所见,我没有密钥。我还在应用程序中定义了一个 client_secret,但我不知道到底从哪里获取它:)...无论如何...这不是很重要。
使用此 server.js 我可以登录用户并接收 access_token 和 refresh_token。但我不知道如何验证它并更新刷新令牌和访问令牌。我希望当以前的访问令牌过期时,用户将收到新的刷新令牌和使用以前的刷新令牌的新访问令牌。我阅读了一些有关 JWT 和验证方法的文档。但我无法实现正确的逻辑来执行此操作。 我的主要问题是这部分代码:
else if (grant_type === 'refresh_token') {
// Check if the provided refresh token is valid (use your logic for validation)
// For simplicity, let's assume all refresh tokens are valid
// Generate new access token
const newAccessToken = jwt.sign({ /* Include relevant user information */ }, secretKey, { expiresIn: accessTokenExpiration });
// Generate new refresh token
const newRefreshToken = jwt.sign({ /* Include relevant user information */ }, secretKey, { expiresIn: refreshTokenExpiration });
// Return new tokens
res.json({
token_type: 'Bearer',
expires_in: accessTokenExpiration,
access_token: newAccessToken,
refresh_token: newRefreshToken,
});
} else {
// Return an error for unsupported grant_type
res.status(400).json({ error: 'Unsupported grant_type' });
}
});
我不知道验证的正确逻辑,也
Include relevant user information
。请帮助我:)!!!...如果您知道有关此过程的任何其他信息,请告诉我。谢谢!
我还使用邮递员来测试我的请求和响应。我发送此 HTTP POST 请求:
[{"key":"grant_type","value":"refresh_token","type":"text","equals":true},{"key":"refresh_token","value":"上一个refresh_token这是从登录响应中接收的。","type":"text","equals":true},{"key":"client_id","value":"2","type":"text", "equals":true},{"key":"client_secret","value":"[ 哈希码 ]","type":"text","equals":true}].
我得到了这个状态代码(400):
{
"error": "Unsupported grant_type"
}
您应该使用 body-parser 和 express 模块的中间件功能来解析来自 HTTP 请求的 JSON 数据:
npm 我表达 npm 我的身体解析器
或
npm 安装快速 npm 安装 body-parser
之后,将两个中间件函数添加到代码顶部,就像下面的示例代码一样:
const express = require("express");
const app = express();
const bodyParser = require("body-parser");
const jwt = require("jsonwebtoken");
const secret = "yourSecretKey";
app.use(express.json());
app.use(bodyParser.urlencoded({ extended: true });
app.post("/generate-token", (req, res) => {
const userId = req.body.user_id;
jwt.sign({ user_id: userId }, secret, { expiresIn: "1h" }, (err, token) => {
if (!err && token) {
res.status(200).json({ token: token });
}
});
});
app.post("/verify-token", (req, res) => {
const token = req.body.token;
jwt.verify(token, secret, (err, user) => {
if (!err && user) {
res.status(200).json({ token: token, user: user });
}
});
});
const PORT = 3000;
app.listen(PORT, "127.0.0.1", () => {
console.log(`Server running on ${PORT}`);
});