I do authorization using passport.js. After the user has logged in to his page (localhost: 3000 / home), he can go to the admin page by typing localhost: 3000 / admin in the address bar. What means it can be banned? Below is the code just in case:

passport.js

var LocalStrategy = require('passport-local').Strategy; var mysql = require('mysql'); var bcrypt = require('bcrypt-nodejs'); var dbconfig = require('./database'); var connection = mysql.createConnection(dbconfig.connection); connection.query("SET SESSION wait_timeout = 604800"); module.exports = function(passport) { passport.serializeUser(function(user, done) { done(null, user.id); }); passport.deserializeUser(function(id, done) { connection.query("SELECT * FROM users WHERE id = ? ", [id], function(err, rows){ done(err, rows[0]); }); }); passport.use('local-login', new LocalStrategy({ usernameField : 'username', passwordField : 'password', passReqToCallback : true }, function(req, username, password, done) { connection.query("SELECT * FROM users WHERE username = ?", [username], function(err, rows) { if(err) return done(err); if(!rows.length) {return done(null, false, req.flash('loginMessage', 'No user found.'));} if(!bcrypt.compareSync(password, rows[0].passwd)) return done(null, false, req.flash('loginMessage', 'Oops! Wrong password.')); return done(null, rows[0]); }); }) ); };

router.js

 module.exports = function(app, passport) { app.get('/', function(req, res, next) { res.render('index', {message: req.flash('message')}); }); app.post('/login', passport.authenticate('local-login' // ,{ // successRedirect : 'home', // redirect to the secure profile section // failureRedirect : '/', // redirect back to the signup page if there is an error // failureFlash : true // allow flash messages // } ), function(req, res) { console.log(req.body); if (req.body.remember) { req.session.cookie.maxAge = 10; } else { req.session.cookie.expires = false; } if(req.user.role==="admin") res.redirect('/admin'); if(req.user.role==="user") res.redirect('/home'); res.redirect('/'); }); app.get('/home', isLoggedIn, function(req, res) { res.render('home', { user : req.user // get the user out of session and pass to template }); }); app.get('/admin', isLoggedIn, function(req, res) { res.render('admin', { user : req.user // get the user out of session and pass to template }); }); function isLoggedIn(req, res, next) { // if user is authenticated in the session, carry on if (req.isAuthenticated()) return next(); // if they aren't redirect them to the home page res.redirect('/'); }; }
  • Use the "Fragment of the code" button only for the code that can actually be executed in the browser. For non-self-sufficient pieces of code, you should use blocks of code that are formatted with an indent of 4 spaces (Ctrl + K). - Mikhail Vaysman
  • I think in any way. The GET request is generated by the client, the only thing that you can do is filter on some secret field generated on the server in Cookies and checking it on the necessary page. It is easier for you to put down user rights and redirect to home if rights are not enough - Daniel Protopopov

0