Please confirm whether my interpretation of your requirement is correct:
Your users can log on in two roles, with different passwords per role. And they might even be logged on in both roles simultaneously (either by giving two passwords, or because the admin role includes the employee role).
You could achieve this by having only one session, with attributes req.session.employeeAuthenticated
and req.session.adminAuthenticated
. After validating a password, you would set one (or both) of these attributes, and users could also "log out from the admin role", after which you would simply set req.session.adminAuthenticated = false
but keep the session.
The first of the adminRoutes
must then validate that the current user indeed has the admin role:
function(req, res, next) {
if (req.session.adminAuthenticated) next();
else res.status(403).end("Forbidden for non-admins");
}
(and likewise in employeeRoutes
).
Only when the user logs out completely would you call req.session.destroy()
.
* Be the first to Make Comment