Token(令牌)是一种用于在客户端和服务器之间安全传输信息的加密字符串。在Web开发中,Token常用于身份验证和授权,确保用户能够安全地访问受保护的资源。
作用与意义
- 身份验证:Token可以用来验证用户的身份,确保用户已经通过认证流程。
- 授权:通过Token,服务器可以识别用户的权限,从而允许或拒绝访问特定的资源。
- 状态管理:在无状态(stateless)的API设计中,Token可以携带用户的状态信息,而不需要在服务器端存储会话数据。
- 安全性:Token通常包含加密信息,可以有效防止CSRF(跨站请求伪造)和XSS(跨站脚本攻击)等安全威胁
在Node.js中生成与验证Token
在Node.js中,常用的库是jsonwebtoken(JWT),它提供了一种简单的方式来生成和验证JSON Web Tokens。
安装依赖
首先,你需要安装jsonwebtoken库:
npm install jsonwebtoken
生成Token
下面是一个生成Token的示例:
token keyword">const jwt token operator">= token function">requiretoken punctuation">(token string">'jsonwebtoken'token punctuation">)token punctuation">;
token comment">// 秘钥(请确保在实际应用中妥善保管)
token keyword">const secretKey token operator">= token string">'your_secret_key'token punctuation">;
token comment">// 用户数据(可以包含用户ID、用户名等信息)
token keyword">const userData token operator">= token punctuation">{token literal-property property">idtoken operator">: token number">1token punctuation">,token literal-property property">usernametoken operator">: token string">'exampleUser'
token punctuation">}token punctuation">;
token comment">// 生成Token
token keyword">const token token operator">= jwttoken punctuation">.token function">signtoken punctuation">(userDatatoken punctuation">, secretKeytoken punctuation">, token punctuation">{ token literal-property property">expiresIntoken operator">: token string">'1h' token punctuation">}token punctuation">)token punctuation">; token comment">// 1小时后过期
consoletoken punctuation">.token function">logtoken punctuation">(token string">'Generated Token:'token punctuation">, tokentoken punctuation">)token punctuation">;
验证Token
下面是一个验证Token的示例:
token keyword">const jwt token operator">= token function">requiretoken punctuation">(token string">'jsonwebtoken'token punctuation">)token punctuation">;
token comment">// 秘钥(与生成Token时使用的秘钥相同)
token keyword">const secretKey token operator">= token string">'your_secret_key'token punctuation">;
token comment">// 假设这是从客户端接收到的Token
token keyword">const receivedToken token operator">= token string">'your_received_token_here'token punctuation">;
jwttoken punctuation">.token function">verifytoken punctuation">(receivedTokentoken punctuation">, secretKeytoken punctuation">, token punctuation">(token parameter">errtoken punctuation">, decodedtoken punctuation">) token operator">=> token punctuation">{token keyword">if token punctuation">(errtoken punctuation">) token punctuation">{token comment">// Token无效或已过期consoletoken punctuation">.token function">errortoken punctuation">(token string">'Token is invalid or expired:'token punctuation">, errtoken punctuation">.messagetoken punctuation">)token punctuation">;token keyword">returntoken punctuation">;token punctuation">}token comment">// Token有效,decoded包含生成Token时传递的用户数据consoletoken punctuation">.token function">logtoken punctuation">(token string">'Decoded Token:'token punctuation">, decodedtoken punctuation">)token punctuation">;token comment">// 在这里处理用户请求,例如根据decoded.id获取用户信息
token punctuation">}token punctuation">)token punctuation">;
完整过程示例
下面是一个完整的示例,包括生成Token和验证Token的过程:
token keyword">const express token operator">= token function">requiretoken punctuation">(token string">'express'token punctuation">)token punctuation">;
token keyword">const jwt token operator">= token function">requiretoken punctuation">(token string">'jsonwebtoken'token punctuation">)token punctuation">;
token keyword">const bodyParser token operator">= token function">requiretoken punctuation">(token string">'body-parser'token punctuation">)token punctuation">;
token keyword">const app token operator">= token function">expresstoken punctuation">(token punctuation">)token punctuation">;
token keyword">const port token operator">= token number">3000token punctuation">;
token comment">// 秘钥(请确保在实际应用中妥善保管)
token keyword">const secretKey token operator">= token string">'your_secret_key'token punctuation">;
token comment">// 中间件:解析JSON请求体
apptoken punctuation">.token function">usetoken punctuation">(bodyParsertoken punctuation">.token function">jsontoken punctuation">(token punctuation">)token punctuation">)token punctuation">;
token comment">// 路由:生成Token
apptoken punctuation">.token function">posttoken punctuation">(token string">'/login'token punctuation">, token punctuation">(token parameter">reqtoken punctuation">, restoken punctuation">) token operator">=> token punctuation">{token keyword">const token punctuation">{ usernametoken punctuation">, password token punctuation">} token operator">= reqtoken punctuation">.bodytoken punctuation">;token comment">// 在这里进行用户名和密码的验证(示例中省略)token comment">// 假设验证成功,生成Tokentoken keyword">if token punctuation">(username token operator">=== token string">'exampleUser' token operator">&& password token operator">=== token string">'examplePass'token punctuation">) token punctuation">{token keyword">const userData token operator">= token punctuation">{token literal-property property">idtoken operator">: token number">1token punctuation">,token literal-property property">usernametoken operator">: token string">'exampleUser'token punctuation">}token punctuation">;token keyword">const token token operator">= jwttoken punctuation">.token function">signtoken punctuation">(userDatatoken punctuation">, secretKeytoken punctuation">, token punctuation">{ token literal-property property">expiresIntoken operator">: token string">'1h' token punctuation">}token punctuation">)token punctuation">;restoken punctuation">.token function">jsontoken punctuation">(token punctuation">{ token token punctuation">}token punctuation">)token punctuation">;token punctuation">} token keyword">else token punctuation">{restoken punctuation">.token function">statustoken punctuation">(token number">401token punctuation">)token punctuation">.token function">jsontoken punctuation">(token punctuation">{ token literal-property property">messagetoken operator">: token string">'Invalid credentials' token punctuation">}token punctuation">)token punctuation">;token punctuation">}
token punctuation">}token punctuation">)token punctuation">;
token comment">// 路由:受保护的资源
apptoken punctuation">.token function">gettoken punctuation">(token string">'/protected'token punctuation">, token punctuation">(token parameter">reqtoken punctuation">, restoken punctuation">) token operator">=> token punctuation">{token keyword">const token token operator">= reqtoken punctuation">.headerstoken punctuation">[token string">'authorization'token punctuation">] token operator">&& reqtoken punctuation">.headerstoken punctuation">[token string">'authorization'token punctuation">]token punctuation">.token function">splittoken punctuation">(token string">' 'token punctuation">)token punctuation">[token number">1token punctuation">]token punctuation">;token keyword">if token punctuation">(token operator">!tokentoken punctuation">) token punctuation">{token keyword">return restoken punctuation">.token function">statustoken punctuation">(token number">401token punctuation">)token punctuation">.token function">jsontoken punctuation">(token punctuation">{ token literal-property property">messagetoken operator">: token string">'No token provided' token punctuation">}token punctuation">)token punctuation">;token punctuation">}jwttoken punctuation">.token function">verifytoken punctuation">(tokentoken punctuation">, secretKeytoken punctuation">, token punctuation">(token parameter">errtoken punctuation">, decodedtoken punctuation">) token operator">=> token punctuation">{token keyword">if token punctuation">(errtoken punctuation">) token punctuation">{token keyword">return restoken punctuation">.token function">statustoken punctuation">(token number">403token punctuation">)token punctuation">.token function">jsontoken punctuation">(token punctuation">{ token literal-property property">messagetoken operator">: token string">'Token is invalid or expired' token punctuation">}token punctuation">)token punctuation">;token punctuation">}token comment">// Token有效,返回受保护的数据restoken punctuation">.token function">jsontoken punctuation">(token punctuation">{ token literal-property property">messagetoken operator">: token string">'Welcome to the protected route'token punctuation">, token literal-property property">usertoken operator">: decoded token punctuation">}token punctuation">)token punctuation">;token punctuation">}token punctuation">)token punctuation">;
token punctuation">}token punctuation">)token punctuation">;
apptoken punctuation">.token function">listentoken punctuation">(porttoken punctuation">, token punctuation">(token punctuation">) token operator">=> token punctuation">{consoletoken punctuation">.token function">logtoken punctuation">(token template-string">token template-punctuation string">`token string">Server is running on http://localhost:token interpolation">token interpolation-punctuation punctuation">${porttoken interpolation-punctuation punctuation">}token template-punctuation string">`token punctuation">)token punctuation">;
token punctuation">}token punctuation">)token punctuation">;
使用方法
1、启动服务器:
node apptoken punctuation">.js
2、使用POST请求访问/login路由,提供用户名和密码(示例中为exampleUser和examplePass),获取生成的Token。
3、使用GET请求访问/protected路由,并在请求头中提供Authorization字段,值为Bearer加上空格再加上Token。
