Code Monkey home page Code Monkey logo

userauth's Issues

[feat] fetch get json request return 403 not 302

Describe the feature

When we use fetch to get json data from server,userauth return 302 with redirect url。Fetch will throw TypeError: failed to fetch caused by cors error. It's better to throw 403 with login expired message to make frontend do the re-login easily.

needLogin判断逻辑纠正 

return function* userauth(next) {
    var loginRequired = !!needLogin(this.path, this);
    debug('url: %s, path: %s, loginPath: %s, session exists: %s, login required: %s',
      this.url, this.path, options.loginPath, !!this.session, loginRequired);

    if (!this.session) {
      debug('this.session not exists');
      // ignore not match path
      if (!loginRequired) {
        debug('not match needLogin path, %j', this.path);
        return yield* next;
      }
      debug('relogin again');
      return yield* loginHandler.call(this, next);
    }

if (!this.session) 这个判断逻辑能否改成

if (!loginRequired) {
      debug('not match needLogin path, %j', this.path);
      return yield* next;
    } else if (loginRequired && !this.session) {
      debug('this.session not exists');
      debug('relogin again');
      return yield* loginHandler.call(this, next);
    }

因为needLogin这个判断逻辑本身就是让业务方自己去判断是否要走登录校验,如果这里加了只允许已经登录过的逻辑才能走进来,就不太合理了。

回跳URL中不允许包含/login 

function formatReferer(ctx, pathname, rootPath) {
  var query = ctx.query;
  var referer = query.redirect || ctx.get('referer') || rootPath;
  if (referer[0] !== '/') {
    // ignore protocol://xxx/abc
    referer = rootPath;
  } else if (referer.indexOf(pathname) >= 0) {
    referer = rootPath;
  }
  return referer;
}

其中referer.indexOf(pathname) >= 0是否应该改为referer.startsWith(pathname)更加合适?
因回跳的url中可能会包含/login字符串,这种情况会引起误判。

有循环重定向的可能 

if (!this.session) {
      debug('this.session not exists');
      // ignore not match path
      if (!loginRequired) {
        debug('not match needLogin path, %j', this.path);
        return yield next;
      }
      debug('relogin again');
      return yield loginHandler.call(this, next);
    }

    // get login path
    if (this.path === options.loginPath) {
      debug('match login path');
      return yield loginHandler.call(this, next);
    }

场景:

loginPath=/login
loginHost=demo.xxx.com
浏览器中输入demo.xxx.com/login (带有部分cookie),这是就能跳过第一个判断if (!this.session)
而 if (this.path === options.loginPath) 符合条件!
最终就会执行到loginHandler 的 redirect(this, loginURL);
@fengmk2

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.