0
我有以下架构。它的用户和文档有几个字段。我需要的是,一旦用户注册密码变得隐藏,无论哪个数据库查询(例如查找,更新等),我运行密码始终保持隐藏状态。隐藏所有MongoDB查询的密码
我知道在mongo查询中排除/制作密码:0截至目前我排除密码使用以下方法:
User.find({} , {password: 0}).populate('favoriteListings').populate('myListings').populate('profilePicture').limit(size).skip(itemsToSkip)
.exec(function (err, result) { // LIMIT THE RESULT TO 5 DOCUMENTS PER QUERY
if (err) return next(err)
return res.json(result)
})
即我排除密码从json结果单独在所有查询。我需要的是做一些类似密码:{hidden:true}并且每当我做任何查询密码不返回。
var mongoose = require('mongoose');
var Schema = mongoose.Schema; // creating schema
var Listing = require('../listing/listingModel');
var Media = require('../media/mediaModel');
var UserSchema = new Schema({
email: {type: String,default: null}, // EMAIL ID AND PASSWORD ARE TO BE KEPT ON MAIN OF SCHEMA
password: {type: String,default: null},
personal: { // personal information
firstName: {type: String,default: null},
lastName: {type: String,default: null},
dateOfBirth: { type: Date, default: Date.now },
description: {type: String,default: null},
contactNo: {type: String,default: '0000-0000-0000'},
gender: {
male: {type: Boolean,default: true},
female: {type: Boolean,default: false}
}
},
preferences: {
budget: {type: Number,default: 0},
moveInDate: { type: Date, default: Date.now },
profileViewable: {type: Boolean,default: true}
},
background: { // Has an array of work experiences
workExperience: [{ // can have multiple experiences so it is an array
employer: {type: String,default: null},
position: {type: String,default: null},
descrpiton: {type: String,default: null},
startDate: {type: Date,default: Date.now},
endDate: {type: Date,default: Date.now}
}]
},
profilePicture: { type: Schema.Types.ObjectId, ref: 'Media' },
favoriteListings: [{ type: Schema.Types.ObjectId, ref: 'Listing' }],
myListings: [{ type: Schema.Types.ObjectId, ref: 'Listing' }],
status: {type: Boolean,default: true} // STATUS OF ENTRY, BY DEFAULT ACTIVE=TRUE
},
{
// MAKING VIRTUALS TRUE
toObject: {
virtuals: true
},
toJSON: {
virtuals: true
},
timestamps: true, // FOR createdAt and updatedAt
versionKey: false,
id: false // because toObject virtuals true creates another id field in addition to _id so making it false
}
)
UserSchema
.virtual('fullName')
.get(function() {
// console.log(this.createdAt)
if (this.firstName != null && this.lastName != null) {return this.name.firstName + ' ' + this.name.lastName}
else
return null
})
var User = mongoose.model('User', UserSchema)
module.exports = User
以下为登录用户
User.findOne({
email: req.body.email
}).select('+hash +salt').exec(function (err, validadmin) {
if (err) return next(err)
if (!validadmin) {
res.json({ success: false, message: 'Authentication failed. User not found.' })
} else if (validadmin) {
var decryptedPassword = CryptoJS.AES.decrypt(validadmin.password, myPasswordKey) // DECRYPTING PASSWORD
// OBTAINED FROM DB TO MATCH WITH PASSWORD GIVEN BY USER
decryptedPassword = decryptedPassword.toString(CryptoJS.enc.Utf8)
console.log(decryptedPassword)
console.log(req.body.password)
// check if password matches
if (decryptedPassword != req.body.password) {
return res.json({ success: false, message: 'Authentication failed. Wrong password.' })
} else {
// CREATES TOKEN UPON SUCCESSFUL LOGIN
var token = jwt.sign(validadmin, app.get('superSecret'), {
expiresIn: 24 * 60 * 60
})
// LOGIN SUCCESSFUL
return res.json({
success: true,
message: 'LOGIN SUCCESSFUL!',
token: token
})
}
}
});
在这种情况下,密码从查询结果中隐藏起来。但是当我使用密码和电子邮件进行登录时,出现以下错误:TypeError:无法读取未定义的属性“salt”。顺便说一句我使用jwt的密码加密 – SyedAliRazaSherazi
在你的登录策略,你必须检索数据库的用户,并检查它对试图登录正确的用户?在查找用户的查询中,在find方法之后添加.select('+ hash + salt')。 –
如果您不想在查询数据库以显示用户配置文件时获取散列和salt,还可以执行以下操作:User.find(id).. select(' - hash - 盐') 我认为这将工作 –