使用jsonwebtoken完成nodejs的登陸系統

今天我們繼續，做一個簡單的登陸系統，使用jsonwebtoken作鑑權。

Mongoose添加數據庫賬號集合

首先我們定義一個AccountSchema，如下：

const mongoose = require('mongoose');
const Schema = mongoose.Schema;

const AccountSchema = new Schema({
    user_id: {type: String, required: true},
    username: {type: String, required: true},
    password: {type: String, required: true},
});

const AccountModel = mongoose.model('Account', AccountSchema);
module.exports = AccountModel;

然後我們創建一個名爲account的路由，開始寫接口。先寫註冊接口，
註冊接口就是直接post account，代碼如下：

const response = require('../util/response-util');
const router = require("koa-router")();
const AccountModel = require('../model/account');
const key = require('../config/secret-key');
const md5 = require('md5');

//註冊賬號接口
router.post('/', async (ctx) => {
    let requestAccount = ctx.request.body;
    if (!requestAccount.username || requestAccount.username.length < 3) {
        ctx.throw(400, 'length of username need >= 3');
    }
    if (!requestAccount.password || requestAccount.password.length < 6) {
        ctx.throw(400, 'length of password need >= 6');
    }

    const isDuplicatedUsername = await AccountModel.findOne({'username': requestAccount.username});
    if(isDuplicatedUsername) {
        ctx.throw(400,'duplicated username');
    }

    requestAccount.password = md5(key.accountPasswordKey + requestAccount.password);
    let result = await AccountModel.create(requestAccount);
    if (result) {
        ctx.body = response.createOKResponse(result);
    } else {
        ctx.body = response.createFailedResponse(500, 'create account failed');
    }

});

賬號使用password再加一個鹽指一起做MD5加密，雖然對Schema裏做了長度、唯一性限制，在接口上也要做限制來做json返回。
再寫一個註銷接口方便寫做單元測試：

//註銷賬號接口
router.delete('/', async (ctx) => {
    let username = ctx.query.username;
    if (!username) {
        ctx.throw(400, 'need username');
    }

    let result = await  AccountModel.findOneAndDelete(username);
    if (result) ctx.body = response.createOKResponse(result);
    else ctx.body = response.createFailedResponse(500, 'delete account fail')
});

然後是登陸接口，先做校驗，生成token令牌下面再做：

//登陸接口
router.post('/user-token', async (ctx) => {
    let requestAccount = ctx.request.body;
    if (!requestAccount.username || requestAccount.username.length < 3) {
        ctx.throw(400, 'length of username need >= 3');
    }
    if (!requestAccount.password || requestAccount.password.length < 6) {
        ctx.throw(400, 'length of password need >= 6');
    }

    requestAccount.password = md5(key.accountPasswordKey + requestAccount.password);
    let account = await AccountModel.findOne(requestAccount);
    if (account) {
        ctx.body = response.createOKResponse(account);
    } else {
        ctx.body = response.createFailedResponse(500, 'query account failed');
    }

});

這些都很簡單。退出登陸不需要做，根據jwt的標準，後端不保存token，想要退出登陸前端把當前token刪掉就可以了。

使用JWT作登陸認證

現在的應用都要作多終端認證，因此使用token來做認證是非常合適的，基本上移動端都是用accsess-token來驗證用戶的登陸信息。
jsonwebtoken是一個跨域認證標準，不瞭解的朋友可以先看看阮一峯老師的這篇博客JSON Web Token 入門教程。
它的好處就是可以跨域，跨平臺。而且由於服務端不需要保存token信息，開發起來非常簡單。
JWT在不同語言、平臺有不同的實現庫，由於我們是nodejs，所以直接去npm上找，node版JWT這個就是了，可以看下使用方法，真的是非常簡單呢。先運行下npm install jsonwebtoken安裝JWT依賴。
下面我們繼續寫登陸接口，返回一個user-token給客戶端，客戶端拿到後保存起來，以後的請求在請求頭裏加上token信息，後端就可以識別了。
由於我打算用加密強度非常大的RSA256加密jwt，因此先生成一對RSA密鑰，我們藉助openssl來創建RSA256密鑰對：

full-stacker/full-stacker-api/config  master ✗                                                                                                                                           2d ⚑  
▶ openssl
OpenSSL> genrsa -out jwt.pem 1024                        
Generating RSA private key, 1024 bit long modulus
....++++++
.......................++++++
e is 65537 (0x10001)
      
OpenSSL> rsa -in jwt.pem -pubout -out jwt_pub.pem
writing RSA key
OpenSSL> exit

full-stacker/full-stacker-api/config  master ✗                                                                                                                                         2d ⚑ ◒  
▶ ls
jwt.pem       jwt_pub.pem   mongo-db.js   secret-key.js

密鑰有了，我們可以在登陸接口生成jwt給客戶端了：

//登陸接口
router.post('/user-token', async (ctx) => {
    let requestAccount = ctx.request.body;
    if (!requestAccount.username || requestAccount.username.length < 3) {
        ctx.throw(400, 'length of username need >= 3');
    }
    if (!requestAccount.password || requestAccount.password.length < 6) {
        ctx.throw(400, 'length of password need >= 6');
    }

    requestAccount.password = md5(key.accountPasswordKey + requestAccount.password);
    let account = await AccountModel.findOne(requestAccount);
    if (account) {
        let cert = fs.readFileSync(path.resolve(__dirname, '../config/jwt.pem'));
        let userToken = jwt.sign({
                _id: account._id,
                username: account.username
            }, cert,
            {
                algorithm: 'RS256',
                expiresIn: '1h'
            });
        ctx.body = response.createOKResponse(userToken);
    } else {
        ctx.body = response.createFailedResponse(500, 'wrong username or password');
    }

});

這其中，fs讀取文件的時候讀相對路徑經常會找不到，無奈藉助path來讀絕對路徑給fs，jwt裏存儲用戶的id和username，這裏expiresIn表示過期時間。
最後我們寫個測試接口來測試一個jwt登陸鑑權：

//登陸鑑權測試接口
router.get('/test', async (ctx) => {
    userToken = ctx.request.get('Authorization');
    let cert = fs.readFileSync(path.resolve(__dirname, '../config/jwt_pub.pem'));

    try {
        const decoded = await jwt.verify(userToken, cert);
        ctx.body = response.createOKResponse(decoded);
    } catch (e) {
        ctx.throw(401, 'need authorization')
    }
});

這裏推薦一個測試接口的chrome插件Restlet Client，感覺比postman更好用。
好了，這下我們基本的賬號系統和登陸鑑權就做完了，使用JWT是不是超級簡單呢？

編寫單元測試

使用ava+superkoa做單元測試，代碼如下：

import test from 'ava';
import superKoa from 'superkoa';
import app from '../app';

test.serial('register account', async t => {
    let res = await superKoa(app)
        .post('/account')
        .send({username: 'test-account', password: '123456'});
    t.is(200, res.status);
    t.is(0, res.body.error);
    t.is('test-account', res.body.data.username);
});

test.serial('login && authorization', async t => {
    let res = await superKoa(app)
        .post('/account/user-token')
        .send({username: 'test-account', password: '123456'});
    t.is(200, res.status);
    t.is(0, res.body.error);

    let res2 = await superKoa(app)
        .get('/account/test')
        .set('Authorization', res.body.data);
    t.is(200, res2.status);
    t.is(0, res2.body.error);
    t.is('test-account', res2.body.data.username);
});

test.serial('unregister authorization', async t => {
    let res = await superKoa(app)
        .delete('/account?username=test-account');
    t.is(200, res.status);
    t.is(0, res.body.error);
    t.is('test-account', res.body.data.username);
});

運行一下，看看結果：

▶ npm test

> [email protected] test /Users/judy/WeChatProjects/full-stacker/full-stacker-api
> ava -v

POST /category - 424ms
  --> POST /category 200 431ms 89b
  ✔ create category (473ms)
  <-- PATCH /category
PATCH /category - 912ms
  --> PATCH /category 200 913ms 90b
  ✔ update category (920ms)
  <-- GET /category/list?parent=root
GET /category/list?parent=root - 22ms
  --> GET /category/list?parent=root 200 31ms 270b
  ✔ query categories by parent
  <-- DELETE /category?_id=test
DELETE /category?_id=test - 21ms
  --> DELETE /category?_id=test 200 22ms 90b
  ✔ delete category
  <-- POST /account
POST /account - 56ms
  --> POST /account 200 58ms 133b
  ✔ register account
  <-- POST /account/user-token
POST /account/user-token - 25ms
  --> POST /account/user-token 200 25ms 356b
  <-- GET /account/test
GET /account/test - 6ms
  --> GET /account/test 200 8ms 113b
  ✔ login && authorization
  <-- DELETE /account?username=test-account
DELETE /account?username=test-account - 15ms
  --> DELETE /account?username=test-account 200 17ms 133b
  ✔ unregister authorization
  <-- GET /
GET / - 0ms
  --> GET / 200 3ms 19b
  ✔ hello full-stacker

  8 tests passed

全部通過（有5個是之前的，有時間把測試包給分一下），happy，回家過元旦！