我有一个在的NodeJS表达data.domain.com服务器和我的AngularJS的客户住在subdomain.domain.com。我使用护照/快递在服务器上创建会话。然后我的客户端试图连接到同一台服务器上的socket.io。我在socket.io连接上得到403(Forbidden)。403禁止 - 在跨子socket.io连接与Passport.io +表达+ socket.io
我在想这是一个跨域问题。我在快速服务器上启用了COR。我使用我的服务器data.domain.com中的顶级域名(TLD)设置了一个cookie,即快速Cookie域配置是.domain.com。
我检查了我的会话cookie被设置在客户端上 - 与TLD .domain.com“expressSid”。一切工作瞬间,当我注释掉块起始io.set(“授权” ......
一切都在HTTPS运行。我用RedisStore用于会话存储。
Passport.io/socket.io配置:
io.configure(function() {
io.set('transports', ['xhr-polling']);
io.set('polling duration', 10);
io.set('log level', 1);
io.set("authorization", passportSocketIo.authorize({
cookieParser: express.cookieParser, //or connect.cookieParser
key: 'expressSid', //the cookie where express (or connect) stores its session id.
secret: expressSecret, //the session secret to parse the cookie
store: sessionStore, //the session store that express uses
fail: function(data, accept) { // *optional* callbacks on success or fail
accept(null, false); // second param takes boolean on whether or not to allow handshake
},
success: function(data, accept) {
accept(null, true);
}
}));
});
快速配置:
var allowCrossDomain = function(req, res, next) {
var oneof = false;
if(req.headers.origin) {
res.header('Access-Control-Allow-Origin', req.headers.origin);
res.header('Access-Control-Allow-Credentials', true);
oneof = true;
}
if(req.headers['access-control-request-method']) {
res.header('Access-Control-Allow-Methods', req.headers['access-control-request-method']);
oneof = true;
}
if(req.headers['access-control-request-headers']) {
res.header('Access-Control-Allow-Headers', req.headers['access-control-request-headers']);
oneof = true;
}
if(oneof) {
res.header('Access-Control-Max-Age', 60 * 60 * 24 * 365);
}
// intercept OPTIONS method
if (oneof && req.method == 'OPTIONS') {
res.send(200);
}
else {
next();
}
};
appSecure.configure(function(){
appSecure.use(allowCrossDomain);
appSecure.use(express.cookieParser(expressSecret));
appSecure.use(express.bodyParser());
appSecure.use(express.methodOverride());
appSecure.use(org.expressOAuth({onSuccess: '/home', onError: '/oauth/error'})); // <--- nforce middleware
appSecure.set('port', port);
});
appSecure.configure('production', function(){
appSecure.use(express.errorHandler());
appSecure.use(express.session({ secret: expressSecret, store: sessionStore, key:'expressSid', cookie: { domain:'.domain.com'}}));
appSecure.use(passport.initialize());
appSecure.use(passport.session());
appSecure.use(appSecure.router);
appSecure.use(express.static(__dirname + '/public'));
});
我想我的问题是旧的开发迭代中的旧会话cookie在socket.io连接请求上发送。我在浏览器中清除了cookie,事情似乎更好。 – wisemanIV
http://stackoverflow.com/questions/13933980/make-a-secure-oauth-api-with-passport-js-and-express-js-node-js/20218939#20218939 – sam100rav