node.js – 在用户注销后,如何防止浏览器的后退按钮访问受限信息?

Node.js 2019-05-05
我正在 github上使用 this example找到护照本地策略与mongoose / mongodb.
我遇到的问题是,当用户注销时,他们仍然可以通过点击浏览器上的后退按钮来访问受限信息.我是node.js的新手,但我想在需要执行后退和前进按钮之前,需要实现某种类型的钩子来调用ensureAuthenticated函数 – 位于代码底部的所有方式.在用户注销后,如何通过点击后退按钮来阻止用户访问受限信息? 
var express = require('express'),passport = require('passport'),LocalStrategy = require('passport-local').Strategy,mongodb = require('mongodb'),mongoose = require('mongoose'),bcrypt = require('bcrypt'),SALT_WORK_FACTOR = 10;

mongoose.connect('localhost','test');
var db = mongoose.connection;
db.on('error',console.error.bind(console,'connection error:'));
db.once('open',function callback() {
  console.log('Connected to DB');
});

// User Schema
var userSchema = mongoose.Schema({
  username: { type: String,required: true,unique: true },email: { type: String,password: { type: String,required: true},accesstoken: { type: String } // Used for Remember Me
});

// Bcrypt middleware
userSchema.pre('save',function(next) {
    var user = this;

    if(!user.isModified('password')) return next();

    bcrypt.genSalt(SALT_WORK_FACTOR,function(err,salt) {
        if(err) return next(err);

        bcrypt.hash(user.password,salt,hash) {
            if(err) return next(err);
            user.password = hash;
            next();
        });
    });
});

// Password verification
userSchema.methods.comparePassword = function(candidatePassword,cb) {
    bcrypt.compare(candidatePassword,this.password,isMatch) {
        if(err) return cb(err);
        cb(null,isMatch);
    });
};

// Remember Me implementation helper method
userSchema.methods.generaterandomToken = function () {
  var user = this,chars = "_!abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMnopQRSTUVWXYZ1234567890",token = new Date().getTime() + '_';
  for ( var x = 0; x < 16; x++ ) {
    var i = Math.floor( Math.random() * 62 );
    token += chars.charat( i );
  }
  return token;
};

// Seed a user
var User = mongoose.model('User',userSchema);
// var usr = new User({ username: 'bob',email: 'bob@example.com',password: 'secret' });
// usr.save(function(err) {
//   if(err) {
//     console.log(err);
//   } else {
//     console.log('user: ' + usr.username + " saved.");
//   }
// });


// Passport session setup.
//   To support persistent login sessions,Passport needs to be able to
//   serialize users into and deserialize users out of the session.  Typically,//   this will be as simple as storing the user ID when serializing,and finding
//   the user by ID when deserializing.
//
//   Both serializer and deserializer edited for Remember Me functionality
passport.serializeUser(function(user,done) {
  var createAccesstoken = function () {
    var token = user.generaterandomToken();
    User.findOne( { accesstoken: token },function (err,existingUser) {
      if (err) { return done( err ); }
      if (existingUser) {
        createAccesstoken(); // Run the function again - the token has to be unique!
      } else {
        user.set('accesstoken',token);
        user.save( function (err) {
          if (err) return done(err);
          return done(null,user.get('accesstoken'));
        })
      }
    });
  };

  if ( user._id ) {
    createAccesstoken();
  }
});

passport.deserializeUser(function(token,done) {
  User.findOne( {accesstoken: token },user) {
    done(err,user);
  });
});


// Use the LocalStrategy within Passport.
//   Strategies in passport require a `verify` function,which accept
//   credentials (in this case,a username and password),and invoke a callback
//   with a user object.  In the real world,this would query a database;
//   however,in this example we are using a baked-in set of users.
passport.use(new LocalStrategy(function(username,password,done) {
  User.findOne({ username: username },user) {
    if (err) { return done(err); }
    if (!user) { return done(null,false,{ message: 'UnkNown user ' + username }); }
    user.comparePassword(password,isMatch) {
      if (err) return done(err);
      if(isMatch) {
        return done(null,user);
      } else {
        return done(null,{ message: 'Invalid password' });
      }
    });
  });
}));


var app = express();

// configure Express
app.configure(function() {
  app.set('views',__dirname + '/views');
  app.set('view engine','ejs');
  app.engine('ejs',require('ejs-locals'));
  app.use(express.logger());
  app.use(express.cookieParser());
  app.use(express.bodyParser());
  app.use(express.methodoverride());
  app.use(express.session({ secret: 'keyboard cat' })); // CHANGE THIS SECRET!
  // Remember Me middleware
  app.use( function (req,res,next) {
    if ( req.method == 'POST' && req.url == '/login' ) {
      if ( req.body.rememberme ) {
        req.session.cookie.maxAge = 2592000000; // 30*24*60*60*1000 Rememeber 'me' for 30 days
      } else {
        req.session.cookie.expires = false;
      }
    }
    next();
  });
  // Initialize Passport!  Also use passport.session() middleware,to support
  // persistent login sessions (recommended).
  app.use(passport.initialize());
  app.use(passport.session());
  app.use(app.router);
  app.use(express.static(__dirname + '/../../public'));
});
app.get('/users',function(req,res) {
  var users = User.find();
  console.log(users);
  res.send(users);
});

app.get('/',res){
  res.render('index',{ user: req.user });
});

app.get('/account',ensureAuthenticated,res){
  res.render('account',{ user: req.user });
});

app.get('/login',res){
  res.render('login',{ user: req.user,message: req.session.messages });
});

// POST /login
//   Use passport.authenticate() as route middleware to authenticate the
//   request.  If authentication fails,the user will be redirected back to the
//   login page.  Otherwise,the primary route function function will be called,//   which,in this example,will redirect the user to the home page.
//
//   curl -v -d "username=bob&password=secret" http://127.0.0.1:3000/login
//   
/***** This version has a problem with flash messages
app.post('/login',passport.authenticate('local',{ failureRedirect: '/login',failureFlash: true }),res) {
    res.redirect('/');
  });
*/

// POST /login
//   This is an alternative implementation that uses a custom callback to
//   acheive the same functionality.
app.post('/login',next) {
  passport.authenticate('local',user,info) {
    if (err) { return next(err) }
    if (!user) {
      req.session.messages =  [info.message];
      return res.redirect('/login')
    }
    req.logIn(user,function(err) {
      if (err) { return next(err); }
      return res.redirect('/');
    });
  })(req,next);
});

app.get('/logout',res){
  req.logout();
  res.redirect('/');
});

app.listen(3000,function() {
  console.log('Express server listening on port 3000');
});


// Simple route middleware to ensure user is authenticated.
//   Use this route middleware on any resource that needs to be protected.  If
//   the request is authenticated (typically via a persistent login session),//   the request will proceed.  Otherwise,the user will be redirected to the
//   login page.
function ensureAuthenticated(req,next) {
  if (req.isAuthenticated()) { return next(); }
  res.redirect('/login')
}

编辑
我想我可能会做些什么,但却无法让它发挥作用.做了一些研究后,
似乎我需要做的是阻止本地缓存.我正在尝试从我的app.configure函数中执行此操作:

app.configure(function() {
  app.use(function(req,next) {
    res.header('Cache-Control','no-cache,private,no-store,must-revalidate,max-stale=0,post-check=0,pre-check=0');
    next();
  });
});

但是,这似乎并没有影响我的标题.

解决方法

由于浏览器从缓存中提取页面,因此您在该页面上执行的操作无关紧要,除非您添加JS检查以查看用户是否仍在进行身份验证…但这并不能解决页面存在的问题在缓存中.

将问题重新定义为缓存问题,我找到了这个答案:https://stackoverflow.com/a/24591864/217374

你问过这已经过了一年多,所以我不指望你特别需要答案,但是对于其他任何人来说都是如此.

相关文章

基于nodejs的ssh2怎么实现自动化部署
这篇文章主要介绍“基于nodejs的ssh2怎么实现自动化部署”的...
nodejs怎么实现目录不存在自动创建
本文小编为大家详细介绍“nodejs怎么实现目录不存在自动创建...
如何把nodejs数据传到前端
这篇“如何把nodejs数据传到前端”文章的知识点大部分人都不...
nodejs如何实现定时删除文件
本文小编为大家详细介绍“nodejs如何实现定时删除文件”,内...
nodejs安装模块卡住不动怎么解决
这篇文章主要讲解了“nodejs安装模块卡住不动怎么解决”,文...
如何检测nodejs有没有安装成功
今天小编给大家分享一下如何检测nodejs有没有安装成功的相关...