javascript - 如何在Express中提供单个静态文件而不暴露完整的“ / static”文件夹？(How to serve singular static files in express without exposing full '/static' folder?)

Question

I am creating a very simple project that uses JWT.(我正在创建一个使用JWT的非常简单的项目。)

I am serving everything via express, I do not have a frontend and backend.(我通过快递服务所有东西，我没有前端和后端。) What I want to do is serve SPECIFIC html files based on the user's authorization (serving on https://localhost:3000 entry point server.js)(我想要做的是根据用户的授权提供特定的html文件（在https：// localhost：3000入口点server.js上提供）)

People keep recommending to use (server.js):(人们不断建议使用（server.js）：)

app.use(express.static('static'))

but this of course does not work as I can access ANY of those files by going to https://localhost:3000/whatever.i.want .(但这当然不起作用，因为我可以通过访问https：// localhost：3000 / whatever.i.want来访问任何这些文件。)

I have also tried (server.js):(我也尝试过（server.js）：)

app.use( '/secret' , authMiddleware, function(req,res){
    if(auth){
      res.sendFile(__dirname + '/static/secret.html')
    }
});

but gives 404s on my stylesheet and script, as well as some weird MIME type error(但是在我的样式表和脚本上给出了404，以及一些奇怪的MIME类型错误)

Refused to execute https://localhost:3000/script.js as script because "X-Content-Type: nosniff" was given and its Content-Type is not a script MIME type.(拒绝执行https：// localhost：3000 / script.js作为脚本，因为给出了“ X-Content-Type：nosniff”，并且其Content-Type不是脚本MIME类型。)

It works if I add:(如果我添加，它将起作用：)

app.get( '/styles.css' , function(req,res){
  res.sendFile(__dirname + '/static/styles.css')
});

app.get( '/script.js' , function(req,res){
  res.sendFile(__dirname + '/static/script.js')
});

But do I really have to do this for every single stylesheet and script I use?(但是我真的必须为我使用的每个样式表和脚本都这样做吗？)

There has to be a better way!!!(一定有更好的方法！！！)

1.) What is the best way that people do this?(1.）人们这样做的最佳方式是什么？)

Specifically, is it possible to create authorized web-apps without using a frontend and serving all your static files from the backend?(具体来说，是否可以创建授权的Web应用程序而无需使用前端并从后端提供所有静态文件？)

2.) Is it necessary that your static directory is publicly accessible?(2）是否有必要公开访问您的静态目录？)

Meaning you can only cast authorization constraints on certain endpoints, then use a script file that calls those endpoints?(意味着您只能在某些端点上强制授权约束，然后使用调用这些端点的脚本文件？) Which would still allow you to view the base HTML, just not any results of the API calls.(仍然允许您查看基本的HTML，而不仅仅是API调用的任何结果。) Which in effect works but is gross.(实际上有效，但很严重。)

File system(文件系统)

server.js
/static
  /blah.html
  /secret.html
  /secret.css
  /secret.js

  ask by Jake Chambers translate from so

Answer 1

If you want to selectively serve assets from the express server, you could do something like this:(如果要有选择地从快递服务器提供资产，则可以执行以下操作：)

let secrets = ['secrets.html', 'my_diary.html']

app.use((req, res, next) => {
    let shouldBeAuthorised = secrets.some(s => req.url.includes(s))
    if (shouldBeAuthorized)
        // check they are authorized to be served this content
    else
        // just serve the content, carry on... no need to worry
})

app.use(express.static('static'))

My use of req.url.includes is very shaky, and with a more complicated list of files, could result in you requiring authorization for files that aren't explicitly in the blacklist... but the basic structure of the above code should achieve what you're looking to achieve.(我对req.url.includes使用非常不稳定，并且文件列表更为复杂，可能会导致您需要对未明确列入黑名单的文件进行授权...但是上述代码的基本结构应实现您想要实现的目标。)