问题描述
我不能在这里传递任何秘密,因为它存储在Redis中,供每个用户使用,在访问用户ID以获得其秘密之前,我必须解析令牌主体。使用nestjs进行架构。是否有任何优雅的解决方案,而不必自己撰写整个策略?
export class JwtStrategy extends PassportStrategy(Strategy) {
constructor(private authService: AuthService) {
super({
jwtFromrequest: ExtractJwt.fromAuthHeaderAsBearerToken(),ignoreExpiration: false,secretorKey: ???,passReqToCallback: true,});
}
async validate(req: any,payload: UserType): Promise<UserType> {
try {
const token = ExtractJwt.fromAuthHeaderAsBearerToken()(req);
const [header,body] = token.split('.');
const headerjson = JSON.parse(btoa(header)) as { alg: Algorithm };
const bodyJSON = JSON.parse(btoa(body)) as UserType;
const sub = bodyJSON.sub;
const userId = await this.authService.findUserSecret(sub);
const jwt = new JwtService({
secret: userId,});
await jwt.verify(token,{
algorithms: [headerjson.alg],});
return payload;
} catch (e) {
return Promise.reject();
}
}
}```
解决方法
进行了更多的研究,发现了这一点
secretOrKeyProvider(request: any,rawJwtToken: string,done: any) {
const [,body] = rawJwtToken.split('.');
const bodyJSON = JSON.parse(btoa(body)) as UserType;
const { sub } = bodyJSON;
authService
.findUserSecret(sub)
.then(secret => secret || Promise.reject())
.then(secret => done(null,secret))
.catch(error => done(error,null));
},