I am creating a very simple project that uses JWT.(我正在创建一个使用JWT的非常简单的项目。)
I am serving everything via express, I do not have a frontend and backend.(我通过快递服务所有东西,我没有前端和后端。) What I want to do is serve SPECIFIC html files based on the user's authorization (serving on https://localhost:3000 entry point server.js)(我想要做的是根据用户的授权提供特定的html文件(在https:// localhost:3000入口点server.js上提供))
People keep recommending to use (server.js):(人们不断建议使用(server.js):)
app.use(express.static('static'))
but this of course does not work as I can access ANY of those files by going to https://localhost:3000/whatever.i.want .(但这当然不起作用,因为我可以通过访问https:// localhost:3000 / whatever.i.want来访问任何这些文件。)
I have also tried (server.js):(我也尝试过(server.js):)
app.use( '/secret' , authMiddleware, function(req,res){
if(auth){
res.sendFile(__dirname + '/static/secret.html')
}
});
but gives 404s on my stylesheet and script, as well as some weird MIME type error(但是在我的样式表和脚本上给出了404,以及一些奇怪的MIME类型错误)
Refused to execute https://localhost:3000/script.js as script because "X-Content-Type: nosniff" was given and its Content-Type is not a script MIME type.(拒绝执行https:// localhost:3000 / script.js作为脚本,因为给出了“ X-Content-Type:nosniff”,并且其Content-Type不是脚本MIME类型。)
It works if I add:(如果我添加,它将起作用:)
app.get( '/styles.css' , function(req,res){
res.sendFile(__dirname + '/static/styles.css')
});
app.get( '/script.js' , function(req,res){
res.sendFile(__dirname + '/static/script.js')
});
But do I really have to do this for every single stylesheet and script I use?(但是我真的必须为我使用的每个样式表和脚本都这样做吗?)
There has to be a better way!!!(一定有更好的方法!!!)
1.) What is the best way that people do this?(1.)人们这样做的最佳方式是什么?)
Specifically, is it possible to create authorized web-apps without using a frontend and serving all your static files from the backend?(具体来说,是否可以创建授权的Web应用程序而无需使用前端并从后端提供所有静态文件?)
2.) Is it necessary that your static directory is publicly accessible?(2)是否有必要公开访问您的静态目录?)
Meaning you can only cast authorization constraints on certain endpoints, then use a script file that calls those endpoints?(意味着您只能在某些端点上强制授权约束,然后使用调用这些端点的脚本文件?) Which would still allow you to view the base HTML, just not any results of the API calls.(仍然允许您查看基本的HTML,而不仅仅是API调用的任何结果。) Which in effect works but is gross.(实际上有效,但很严重。)
File system(文件系统)
server.js
/static
/blah.html
/secret.html
/secret.css
/secret.js
ask by Jake Chambers translate from so
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…