0
我有一個在的NodeJS表達data.domain.com服務器和我的AngularJS的客戶住在subdomain.domain.com。我使用護照/快遞在服務器上創建會話。然後我的客戶端試圖連接到同一臺服務器上的socket.io。我在socket.io連接上得到403(Forbidden)。403禁止 - 在跨子socket.io連接與Passport.io +表達+ socket.io
我在想這是一個跨域問題。我在快速服務器上啓用了COR。我使用我的服務器data.domain.com中的頂級域名(TLD)設置了一個cookie,即快速Cookie域配置是.domain.com。
我檢查了我的會話cookie被設置在客戶端上 - 與TLD .domain.com「expressSid」。一切工作瞬間,當我註釋掉塊起始io.set(「授權」 ......
一切都在HTTPS運行。我用RedisStore用於會話存儲。
Passport.io/socket.io配置:
io.configure(function() {
io.set('transports', ['xhr-polling']);
io.set('polling duration', 10);
io.set('log level', 1);
io.set("authorization", passportSocketIo.authorize({
cookieParser: express.cookieParser, //or connect.cookieParser
key: 'expressSid', //the cookie where express (or connect) stores its session id.
secret: expressSecret, //the session secret to parse the cookie
store: sessionStore, //the session store that express uses
fail: function(data, accept) { // *optional* callbacks on success or fail
accept(null, false); // second param takes boolean on whether or not to allow handshake
},
success: function(data, accept) {
accept(null, true);
}
}));
});
快速配置:
var allowCrossDomain = function(req, res, next) {
var oneof = false;
if(req.headers.origin) {
res.header('Access-Control-Allow-Origin', req.headers.origin);
res.header('Access-Control-Allow-Credentials', true);
oneof = true;
}
if(req.headers['access-control-request-method']) {
res.header('Access-Control-Allow-Methods', req.headers['access-control-request-method']);
oneof = true;
}
if(req.headers['access-control-request-headers']) {
res.header('Access-Control-Allow-Headers', req.headers['access-control-request-headers']);
oneof = true;
}
if(oneof) {
res.header('Access-Control-Max-Age', 60 * 60 * 24 * 365);
}
// intercept OPTIONS method
if (oneof && req.method == 'OPTIONS') {
res.send(200);
}
else {
next();
}
};
appSecure.configure(function(){
appSecure.use(allowCrossDomain);
appSecure.use(express.cookieParser(expressSecret));
appSecure.use(express.bodyParser());
appSecure.use(express.methodOverride());
appSecure.use(org.expressOAuth({onSuccess: '/home', onError: '/oauth/error'})); // <--- nforce middleware
appSecure.set('port', port);
});
appSecure.configure('production', function(){
appSecure.use(express.errorHandler());
appSecure.use(express.session({ secret: expressSecret, store: sessionStore, key:'expressSid', cookie: { domain:'.domain.com'}}));
appSecure.use(passport.initialize());
appSecure.use(passport.session());
appSecure.use(appSecure.router);
appSecure.use(express.static(__dirname + '/public'));
});
我想我的問題是舊的開發迭代中的舊會話cookie在socket.io連接請求上發送。我在瀏覽器中清除了cookie,事情似乎更好。 – wisemanIV
http://stackoverflow.com/questions/13933980/make-a-secure-oauth-api-with-passport-js-and-express-js-node-js/20218939#20218939 – sam100rav