How can we use graphql shield with passport js for JWT authentication
I have used the bellow code to implement that functionality but i think the parameters are not allowing the function to run
// graphql_shield.ts
const isAuthorized = rule({ cache: false })(
async (parent, args, ctx, info):Promise<any> => {
return await passportAuth.authenticateJwt;
},
);
// passport.ts
async authenticateJwt (req:any, res:Response, next:NextFunction) {
passport.authenticate('jwt', { session: false }, (error, user) => {
if (user) {
req.logged_in_user = user;
}
next();
})(req, res, next);
}
I want to use middleware to authenticate the JWT in the Bearer token
Related
I am trying to integrate passport in NestJS and to get current auth info anywhere using a decorator. My NestJs version was so old, I updated the NestJS version and changed to the code below. After I changed middleware code, I can no longer get current auth info.
How to get auth info using the changed middeware?
Code before changing the middleware:
export class authMiddlware implements NestMiddleware {
async resolve(): Promise<MiddlewareFunction> {
return async (req, res, next) => {
passport.authenticate('jwt', { session: false }, (err, user, info) => {
if (err) {
return next(err);
}
if (user) {
req.user = user;
}
return next();
})(req, res, next);
};
}
After changing the middleware:
In passport.authenticate I can get the changed user from the request, but out of passport, I cannot get the user from the request.
#Injectable()
export class authMiddlware implements NestMiddleware {
use(req: Request, res: Response, next: Function) {
passport.authenticate('jwt', { session: false }, (err, user, info) => {
if (err) {
return next(err);
}
if (user) {
req.user = user;
}
console.log(req.user)
next();
})(req, res, next);
console.log(req.user)
};
}
The user.decorator:
export const passUser= createParamDecorator((data, req) => {
return plainToClass(User, req.user);
});
I am using this passport strategy.
passport.use(
'onlyForRefreshToken',
new JWTStrategy(
{
jwtFromRequest: ExtractJWT.fromAuthHeaderAsBearerToken(),
secretOrKey: jwtSecretRider,
},
(jwtPayload, done) => {
if (jwtPayload) {
return done(null, jwtPayload);
}
return done(null, false);
},
),
);
My goal is Putting 'jwtPayload' into my rest API of Nodejs that is located at other folder.
That is, I want to use jwtPayload decoded at the code below.
exports.riderRefreshToken = async (req, res) => {
const { email } = req.body;
const exRiderRefreshToken = await Rider.findOne({ email });
}
And this router works by middleware of jwtstrategy.
router.post(
'/refreshToken',
passport.authenticate('onlyForRefreshToken', { session: false }),
authenticationCtrl.riderRefreshToken,
);
In conclusion, when JWT passes from jwtstrategy without problem, that Post router would work.
And I want to use jwtPayload that is in jwtstrategy into Nodejs API as req.params or req.body.
Could you help me this problem?
You need to wrap your strategy into a function that gets req and res :
const isAuthenticated: RequestHandler = (req, res, next) => {
passport.authenticate(
'jwt',
{ session: false, failWithError: true },
(error, user) => {
if (error) {
return next(error)
}
//HERE PUT USER WHERE YOU WANT
//req.data or req.user or req.userInfo
req.user = user
return next()
}
)(req, res, next)
}
I don't recommend putting the user into req.params nor req.body since it might be confusing later on (because technically it doesn't come from those).
I am trying to create an api where user can sign up with an email or can sign in with google, I use json web token for authentication and oauth20, the problem is, can, I pass a jwt with oauth?
I have tried passing it and, I get a token if, I console log, but how do, I pass it to the user, like can i some way attach it to the req.user object in the cb by oauth or something like that?
I am doing this in the google strategy:
async (accessToken, refreshToken, params, profile, cb) => {
const userCheck = await User.findOne({ googleId: profile.id });
if (userCheck) {
const payload = {
user: {
id: userCheck.id
}
};
jwtToken.sign(
payload,
config.get("jwtSecret"),
{ expiresIn: 360000 },
(err, token) => {
if (err) {
throw err;
}
// console.log(token);
return res.json({ token });
},
cb(null, userCheck)
);
My routes are protected like this:
router.get("/", auth, async (req, res)=>{
...some code
}
where auth is a middle ware function
This is the Auth middleware function:
module.exports = function(req, res, next) {
const token = req.header("x-auth-token");
// If no token found
if (!token)
{
return res.status(401).json({ msg: "User not authorized" });
}
// Set token to user
try {
const decoded = jwtToken.verify(token, config.get("jwtSecret"));
req.user = decoded.user;
}
catch (err)
{
res.
status(401)
.json({ msg: "User not authenticated, please login or sign up" });
}
next();
};
I found the solution, you need to pass sign the token in the passport.serializeUser and then send the it with a redirection in response of the redirect url.
The serialize user function:
passport.serializeUser(async (user, cb) => {
const payload = {
user: {
id: user.id
}
};
token = jwtToken.sign(payload, config.get("jwtSecret"), {
expiresIn: 360000
});
console.log("serialize");
cb(null, user.id);
});
The redirection route:
router.get(
"/google/redirect",
passport.authenticate("google", { sessionStorage: false }),
(req, res) => {
res.redirect("/" + token);
}
);
I'm building a small application where a user logs in and gets redirected to /profile. Right now, I fetch the JWT from localstorage and check it via the server. The server then sends it back to the client to tell me if it's a valid session or not.
jQuery/Client:
UserController.initPanel = () => {
if (session === null) {
window.location = "/";
} else {
UserController.requestAuth(session);
}
};
UserController.requestAuth = (sessionToken) => {
var settings = {
"url": "/api/auth",
"method": "POST",
"headers": {
"Content-Type": "application/json",
"Authorization": `Bearer ${sessionToken}`,
},
"data": ""
}
$.ajax(settings).done(function (response) {
console.log(response);
});
};
Node.js/auth.js route:
router.post("/", (req, res) => {
const authHeader = req.headers.authorization;
if (typeof authHeader !== 'undefined') {
const bearerToken = authHeader.split(' ')[1];
verifyToken(bearerToken, (authData) => {
tokenRequest(authData, (authResponse) => {
handleAuthResponse(req, res, authResponse);
})
});
}
});
const handleAuthResponse = (req, res, authResponse) => {
console.log(authResponse);
return res.status(200).json(authResponse);
}
const verifyToken = (token, cb) => {
jwt.verify(token, 'mysecret', (err, authData) => {
if (err) {
res.sendStatus(403)
} else {
cb(authData);
}
});
}
const tokenRequest = (authHeader, cb) => {
//console.log(authHeader);
var config = {
headers: {'Authorization': `bearer ${authHeader.token}`}
};
axios.get('https://myapi.dev/api/session/me', config)
.then((res) => {
if (res.data.error) {
return response.data
} else {
cb(res.data);
}
})
.catch((error) => {
console.log('error', error);
});
}
I feel like this isn't the correct way to do it. I'm rendering templates with ejs:
router.get("/profile", (req, res) => {
const settings = {
title: "Profile",
revslider: false
};
res.render("profile/profile", { settings: settings } );
});
And if for some reason, JS is disabled, /profile is still accessible. Which isn't that big of a problem, it just feels wrong.
So, is it possible to access /profile route, securely checking for authorization server-side first, before rendering?
Also, auth.js returns some user data I could use in the .ejs template. So that's another reason I'd like to try check auth before rendering as well.
EDIT:
Auth middleware, which I didn't use because I wasn't sure how to pass in the token?
module.exports = (req, res, next) => {
try {
const decoded = jwt.verify(req.body.token, 'mysecret');
req.token = decoded;
} catch (error) {
console.log(error);
return res.status(401).json({
message: 'Auth Failed'
});
}
next();
}
Very basic middleware implementation below which leverages express and express-session.
We basically create a simple function to check req.session exists, within that object, you could have something that identifies whether the user has actually authenticated. I'd recommend you add your own logic here to further check the user status.
const authCheckMiddleware = (req, res, next) => {
// Perform auth checking logic here, which you can attach
// to any route.
if(!req.session) {
return res.redirect('/');
}
next();
};
The authCheckMiddleware can be attached to any route, with app.use or router.use. The req object is passed to all middleware.
// Use the authCheckMiddleware function
router.use('/profile', authCheckMiddleware);
Your router.get('/profile') call is now protected by the above middleware.
// Route protected by above auth check middleware
router.get("/profile", (req, res) => {
const settings = {
title: "Profile",
revslider: false
};
res.render("profile/profile", { settings: settings } );
});
I am currently unit testing all my routes, including some that are using a custom passport authentication function. I am trying to mock the passport function to test error handling, but I keep getting the error:
TypeError: _passport.default.authenticate(...) is not a function
Here is the actual code that runs in /controllers/users.js:
export const persistentLogin = (req, res, next) => {
// Authenicate the cookie sent on the req object.
passport.authenticate('jwt', { session: false }, async (authErr, user) => {
// If there is an system error, send 500 error
if (authErr) return res.sendStatus(500);
// If no user is returned, send response showing failure.
if (!user) {
return res.status(200).json({
success: 'false',
});
}
})(req, res, next);
};
Here is the testing code in /tests/controllers/users.js:
import passport from 'passport';
import { persistentLogin } from '../../controllers/users';
beforeEach(() => {
mockResponse = () => {
const response = {};
response.status = jest.fn().mockReturnValue(response);
response.json = jest.fn().mockReturnValue(response);
response.sendStatus = jest.fn().mockReturnValue(response);
response.clearCookie = jest.fn().mockReturnValue(response);
response.cookie = jest.fn().mockReturnValue(response);
return response;
};
});
/**
* persistentLogin Tests
*/
describe('Persistent Login Controller', () => {
beforeEach(() => {
req = {};
res = mockResponse();
validateLoginForm.mockClear();
bcrypt.compare.mockClear();
});
// Passport authenication error
test('Should show passport authenication error', async () => {
passport.authenticate = jest.fn((authType, options, callback) => callback('This is an error', null));
await persistentLogin(req, res);
expect(passport.authenticate).toHaveBeenCalledTimes(1);
expect(res.sendStatus).toHaveBeenCalledWith(500);
});
});
If I had to guess, I would say it has something to do with how the (req, res, next) objects are passed into the live function after the fact. But since we are just mocking the function, I am not sure if it actually needs access to those objects.
EDIT #1:
Per the comment from #jakemingolla, I am now thinking it may be because Jest is not running my app.js file which defines my custom JWT strategy.
Here is the code from the /app.js file:
import passport from 'passport';
import passportJWTStrategy from './utils/auth/passport';
app.use(passport.initialize());
passportJWTStrategy(passport);
And the code from the /utils/auth/passport.js file:
import { Strategy } from 'passport-jwt';
/**
* Verifies JWT payload
*
* #param passport The instance of passport module.
*/
export default (passport) => {
const JWTStrategy = Strategy;
// Setup Options Object
const opts = {};
opts.jwtFromRequest = req => req.cookies.jwt;
opts.secretOrKey = process.env.PASSPORT_SECRET;
passport.use(
new JWTStrategy(opts, (jwtPayload, done) => {
if (Date.now() > jwtPayload.expire_date) {
return done('jwt expired');
}
return done(null, jwtPayload);
}),
);
};
You just need a small change:
Your mock for passport.authenticate just needs to return a function:
passport.authenticate = jest.fn((authType, options, callback) => () => { callback('This is an error', null); });
In the question you mock passport.authenticate, but in this case verify function of your strategy is not called. If you want to run this function as well or mock specific strategy then try something like this:
sinon
.stub(passport._strategies.google, 'authenticate')
.callsFake(function verified() {
const self = this;
this._verify(
null,
null,
{
_json: { email: faker.internet.email() },
name: {
givenName: faker.name.firstName(),
familyName: faker.name.lastName(),
},
},
(err, user, info) => {
if (err) {
return self.error(err);
}
if (!user) {
return self.fail(info);
}
return self.success(user, info);
}
);
});
const response = await supertest(app)
.get('/google/callback?code=123');