Meteor 中服务器端路由的身份验证

为服务器端路由验证用户的最佳方式(最安全和最简单)是什么?

What is the best way (most secure and easiest) to authenticate a user for a server side route?

我使用的是最新的 Iron Router 1.* 和 Meteor 1.*,一开始,我只使用了帐户密码.

I'm using the latest Iron Router 1.* and Meteor 1.* and to begin, I'm just using accounts-password.

我有一个简单的服务器端路由,可以将 pdf 渲染到屏幕上:

I have a simple server side route that renders a pdf to the screen:

both/routes.js

both/routes.js

Router.route('/pdf-server', function() {
  var filePath = process.env.PWD + "/server/.files/users/test.pdf";
  console.log(filePath);
  var fs = Npm.require('fs');
  var data = fs.readFileSync(filePath);
  this.response.write(data);
  this.response.end();
}, {where: 'server'});

举个例子,我想做一些接近于 建议使用此 SO 答案:

As an example, I'd like to do something close to what this SO answer suggested:

在服务器上:

var Secrets = new Meteor.Collection("secrets"); 

Meteor.methods({
  getSecretKey: function () {
    if (!this.userId)
      // check if the user has privileges
      throw Meteor.Error(403);
    return Secrets.insert({_id: Random.id(), user: this.userId});
  },
});

然后在客户端代码中:

testController.events({
  'click button[name=get-pdf]': function () {
      Meteor.call("getSecretKey", function (error, response) {
        if (error) throw error;

        if (response) 
          Router.go('/pdf-server');
      });
  }
});

但即使我以某种方式使这种方法起作用,除非路由本身以某种方式检查了 Secrets 集合,否则我仍然容易受到用户仅输入/pdf-server"之类的 URL 的影响,对吗?

But even if I somehow got this method working, I'd still be vulnerable to users just putting in a URL like '/pdf-server' unless the route itself somehow checked the Secrets collection right?

在Route中,我可以获取请求,并以某种方式获取头信息?

In the Route, I could get the request, and somehow get the header information?

Router.route('/pdf-server', function() {
  var req = this.request;
  var res = this.response;
}, {where: 'server'});

然后从客户端通过 HTTP 标头传递令牌,然后在路由中检查令牌是否来自集合?

And from the client pass a token over the HTTP header, and then in the route check if the token is good from the Collection?



 1 条回答