Nuxt auth with passportjs? - passport.js

How use nuxt auth Module (front-end) with passport-local using JWT (back-end express) ?
defining jwt strategy for verify jwt token (express)
var JwtStrategy = require('passport-jwt').Strategy,
ExtractJwt = require('passport-jwt').ExtractJwt;
var opts = {}
opts.jwtFromRequest = ExtractJwt.fromAuthHeaderAsBearerToken();
opts.secretOrKey = 'secret';
opts.issuer = 'accounts.examplesoft.com';
opts.audience = 'yoursite.net';
passport.use(new JwtStrategy(opts, function(jwt_payload, done) {
User.findOne({id: jwt_payload.sub}, function(err, user) {
if (err) {
return done(err, false);
}
if (user) {
return done(null, user);
} else {
return done(null, false);
// or you could create a new account
}
});
}));
defining local strategy for verify username nad password (express)
passport.use(new LocalStrategy(
function(username, password, done) {
User.findOne({ username: username }, function (err, user) {
if (err) { return done(err); }
if (!user) { return done(null, false); }
if (!user.verifyPassword(password)) { return done(null, false); }
return done(null, user);
});
}
));
code for issuing token after verifying username and password (expresss)
app.post('/login',
passport.authenticate('local', { failureRedirect: '/login' }), //need to update from nuxt auth.
function(req, res) {
res.redirect('/');
});
nuxt auth local strategy consume username and passsword returns a JWT token (nuxt)
this.$auth.loginWith('local', {
data: {
username: 'your_username',
password: 'your_password'
}
})
It can work independently how do i combine these ?

code for express
Create passport strategies
const passport = require('passport');
const LocalStrategy = require('passport-local').Strategy;
const JwtStrategy = require('passport-jwt').Strategy;
passport.use(
new LocalStrategy(
{
usernameField: 'username',
passwordField: 'password'
},
function(username, password, done) {
users.findOne({ email: username }, function(err, user) {
if (err) {
return done(err);
}
if (!user) {
return done(null, false, { error: 'Invalid username' });
}
if (!user.checkPassword(password)) {
return done(null, false, { error: 'invalid password' });
}
const info = { scope: '*' };
done(null, user, info);
});
}
)
);
const opts = {};
opts.jwtFromRequest = ExtractJwt.fromAuthHeaderAsBearerToken();
opts.secretOrKey = 'JWT_SECRET_OR_KEY';
passport.use(
new JwtStrategy(opts, function(payload, done) {
users.findById(payload, function(err, user) {
if (err) {
return done(err, false);
}
if (user) {
return done(null, user);
}
return done(null, false);
});
})
);
use passport strategies
const express = require('express');
const passport = require('passport');
const app = express();
app.use(express.json());
app.use(express.urlencoded({ extended: false }));
app.use(cookieParser());
app.use(passport.initialize()); // Used to initialize passport
// Routes
app.post(
'/login',
passport.authenticate('local', { session: false }),
function(req, res) {
const token = jwt.sign(req.user.userId, 'JWT_SECRET_OR_KEY');
return res.json({ token });
}
);
app.get(
'/me',
passport.authenticate(['jwt', 'bearer'], { session: false }),
function(req, res, next) {
const { userId } = req.user;
users.findOne({ _id: userId }, (err, data) => {
if (err) {
res.status(500).send(err);
} else if (data) {
const userData = data;
res.status(200).send(userData);
} else {
res.status(500).send('invalid token');
}
});
}
);
configuration for nuxt
inside nuxt.config.js
auth: {
resetOnError: true,
redirect: {
login: '/login', // User will be redirected to this path if login is required.
home: '/app/dashboard', // User will be redirect to this path after login. (rewriteRedirects will rewrite this path)
logout: '/login', // User will be redirected to this path if after logout, current route is protected.
user: '/user/profile',
callback: '/callback // User will be redirect to this path by the identity provider after login. (Should match configured Allowed Callback URLs (or similar setting) in your app/client with the identity provider)
},
strategies: {
local: {
endpoints: {
login: {
url: '/login',
method: 'post',
propertyName: 'token'
},
logout: false,
user: {
url: '/me',
method: 'GET',
propertyName: false
}
},
tokenRequired: true,
tokenType: 'Bearer'
}
}
inside Login .vue
this.$auth
.loginWith('local', {
data: {
username: this.user.email,
password: this.user.password
}
})
.catch(err => {
console.error(err );
});

Related

How to handle multiple session when using multiple stratgies in PassportJs with ExpressJs?

I'm developping an app where I want the user to login with thier discord account (Need do some check; checking user guilds, and roles) then when the user met the requirements, then I can allow that user authenticate with twitter to get some permissions. The first created session(session.sid) is overided by the last strategy used.
I'm using Mongodb to store users sessions, twitter, and discord information. I want to keep the previous sessions for other provider.
Routes part:
router.get('/discord', passport.authenticate('discord'), (req, res) => {
res.send(200)
})
router.get('/discord/redirect', passport.authenticate('discord'), (req, res) => {
res.send({msg: "Success loging with discord..."})
})
router.get('/discord-status', (req, res) => {
return req.user ? res.send(req.user):res.send({error: 403, message: 'Unauthorized user.'
})
})
router.get('/twitter', passport.authenticate('twitter', { failureRedirect: '/login', failureMessage: true }),
function(req, res) {
res.redirect('/');
})
router.get('/twitter/redirect', passport.authenticate('twitter'), (req, res) => {
res.send({msg: "Success loging with twitter..."})
})
router.get('/twitter-status', (req, res) => {
console.log(req.user)
return req.user ? res.send(req.user):res.send({error: 403, message: 'Unauthorized user.'
})
})
Discord passport part:
import passport from 'passport';
import { Profile, Strategy } from 'passport-discord';
import { VerifyCallback } from 'passport-oauth2';
import { User } from '../database/schemas';
import { config } from "dotenv"
// get env variables
config()
passport.serializeUser((user: any, done) => {
console.log(`Serialization: ${user} - ${user.id}`)
return done(null, user.id);
});
passport.deserializeUser(async (id: string, done) => {
console.log(`Deserialization: ${id}`)
try {
const user = await User.findById(id);
return user ? done(null, user) : done(null, null);
} catch (err) {
console.log(err);
return done(err, null);
}
});
passport.use(
new Strategy(
{
clientID: process.env.DISCORD_CLIENT_ID!,
clientSecret: process.env.DISCORD_CLIENT_SECRET!,
callbackURL: process.env.DISCORD_CALLBACK_URL,
scope: ['identify', 'email', 'guilds'],
},
async (
accessToken: string,
refreshToken: string,
profile: Profile,
done: VerifyCallback
) => {
const { id: discordId } = profile;
try {
const existingUser = await User.findOneAndUpdate(
{ discordId },
{ accessToken, refreshToken },
{ new: true }
);
if (existingUser) return done(null, existingUser);
const newUser = new User({ discordId, accessToken, refreshToken });
const savedUser = await newUser.save();
return done(null, savedUser)
// TO NOT AUTHORIZE THE USER WHEN ISN'T IN GUILD
// AND HASN'T THE REQUIRED ROLE
// return done(null, false)
} catch (err) {
console.log(err);
return done(err as any, undefined);
}
}
)
);
Twitter passport part:
const passport = require('passport')
import {config} from "dotenv"
var Strategy = require('passport-twitter');
import { TwitterAccounts } from '../database/schemas';
// get env variables
config()
passport.serializeUser((user: any, done: any) => {
console.log(`Serialization: ${user} - ${user.id}`)
return done(null, user.id);
});
passport.deserializeUser(async (id: string, done: any) => {
console.log(`Deserialization: ${id}`)
try {
const user = await TwitterAccounts.findById(id);
return user ? done(null, user) : done(null, null);
} catch (err) {
console.log(err);
return done(err, null);
}
});
passport.use(
new Strategy(
{
consumerKey: process.env.TWITTER_CONSUMER_KEY,
consumerSecret: process.env.TWITTER_CONSUMER_SECRET_KEY!,
callbackURL: process.env.TWITTER_CALLBACK_URL,
},
async (
token: any,
tokenSecret: any,
profile: any,
cb: any
) => {
const { id: twitterId, username: userName } = profile;
try {
const existingUser = await TwitterAccounts.findOneAndUpdate(
{ twitterId },
{ token, tokenSecret, userName},
{ new: true }
);
console.log({ twitterId }, { token, tokenSecret, userName})
if (existingUser) return cb(null, existingUser);
const newUser = new TwitterAccounts({ twitterId, token, tokenSecret, userName });
const savedUser = await newUser.save();
return cb(null, savedUser)
} catch (err) {
console.log(err);
return cb(err as any, undefined);
}
}
)
);
The discord part is working and the session persist:
Session {
cookie: {
path: '/',
_expires: 2023-10-25T15:47:55.818Z,
originalMaxAge: 31104000000,
httpOnly: true
},
passport: { user: '635e9cab54916ceacbb2035c' }
}
but for the twitter it isn't
Session {
cookie: {
path: '/',
_expires: 2023-10-25T15:38:35.503Z,
originalMaxAge: 31104000000,
httpOnly: true
},
passport: {}
}
As you see the passport key is empty.
How to handel multiple cookie please, any help or advice will be appreciated. Thanks

login works even if the password incorrect using passportJs

I am trying to build authentication system for my website , and I am using express to build server , and passport local strategy for authentication ,
let passport = require("passport");
let LocalStrategy = require("passport-local").Strategy;
let session = require("express-session");
app.use(session({ secret: "super secret" }));
app.use(passport.initialize());
app.use(passport.session());
passport.use(
new LocalStrategy(function (username, password, done) {
User.findOne({ username: username }, function (err, user) {
if (err) {
return done(err);
}
if (!user) {
return done(null, false);
}
return done(null, user);
});
})
);
when I signup , everything works and hashed password save in the database :
app.post("/signup", async (req, res) => {
let { fullname, email, username, password } = req.body;
let user = new User({ fullname, email, username });
await User.register(user, password);
res.redirect("/login");
});
but when I try to login , the user logins if the username is exists regardless the password :
app.post(
"/login",
passport.authenticate("local", {
failureFlash: true,
failureRedirect: "/login",
}),
async (req, res) => {
let user = await User.findById(req.user._id);
if (user.lastLogin === undefined) {
await User.updateOne({ _id: user._id }, { lastLogin: Date.now() });
res.redirect("/final-step");
}
res.redirect("/hi");
}
);
Hope to help me , thanks
I solved the problem by replace this code :
passport.use(
new LocalStrategy(function (username, password, done) {
User.findOne({ username: username }, function (err, user) {
if (err) {
return done(err);
}
if (!user) {
return done(null, false);
}
return done(null, user);
});
})
);
by :
passport.use(new LocalStrategy(User.authenticate()));
I had the same issue, I solved it by adding
{ strictQuery: false }
in the schema like this:
new Schema({}, {
strictQuery: false
})
after that it was returning correct values

Node.js/Passport Twitter authorization returns 302

I'm doing a POST request to authorize Twitter via Passport Twitter strategy. The request is going on fine if I use Postman but it fails with if I use it in my app. I get a 302 in response and this in browser console
Error: Network Error
Stack trace:
createError#webpack-internal:///99:16:15
handleError#webpack-internal:///96:87:14
From what I read on the net I found that 302 would be because of some bad implementation of the a redirect call? Maybe is it that twitter does when authorizing a application and I'm not handling it correctly?
The code is as follows. Client-side using Vuejs with Axios to send a request.
Vue template:
<template>
<card>
<h4 slot="header" class="card-title">Edit linked accounts</h4>
<form>
<button type="submit" class="btn btn-info btn-fill" #click.prevent="authTwitter">
Link Facebook
</button>
<div class="clearfix"></div>
</form>
</card>
</template>
<script>
import Card from 'src/components/UIComponents/Cards/Card.vue'
import controller from '../../../../../src/controller/AuthController'
export default {
components: {
Card
},
data () {
return {
}
},
methods: {
authTwitter () {
let token = this.$session.get('jwt')
controller.http.post('/auth/twitter',{}, {
headers: {
Authorization: 'Bearer ' + token
}
})
.then(function(response) {
console.log(response)
})
.catch(function(error) {
console.log(error);
})
}
}
}
</script>
<style>
</style>
Axios settings:
const axios = require('axios');
const config = require('../../config/index.js')
let http = axios.create({
baseURL: config.url,
'Content-Type' : 'application/x-www-form-urlencoded',
'Access-Control-Allow-Origin':'*'
})
module.exports = {
http
}
And in my backend I'm doing the following:
Passport settings:
const passport = require('passport');
const StrategyTwitter = require('passport-twitter').Strategy,
LocalStrategy = require('passport-local').Strategy;
const JwtStrategy = require('passport-jwt').Strategy,
ExtractJwt = require('passport-jwt').ExtractJwt;
const {
User,
UserDetails,
UserAccounts
} = require('../models');
const bcrypt = require('bcrypt-nodejs');
const jwt = require('jsonwebtoken');
const config = require('../config/config');
let session = require('express-session')
var opts = {}
opts.jwtFromRequest = ExtractJwt.fromAuthHeaderAsBearerToken();
opts.secretOrKey = config.secretKey;
module.exports = function(app) {
// Local sign-in stragetgy
passport.use('local-signin', new LocalStrategy(
function(username, password, done) {
User.findOne({
where: {
username: username
}
}).then(function(data) {
bcrypt.compare(password, data.password, function(err, response) {
if (err) {
return done(err);
}
const token = jwt.sign({
id: data.id
}, config.secretKey, {
expiresIn: 86400 // 86400 expires in 24 hours
});
return done(null, token);
});
}).catch(function(error) {
return done(error)
});
}
));
// Local sign-up strategy
passport.use('local-signup', new LocalStrategy({
usernameField: 'username',
passwordField: 'password',
passReqToCallback: true // allows us to pass back the entire request to the callback
},
function(req, username, password, done) {
process.nextTick(function() {
User.beforeCreate(function(req) {
return encryptPass(req.password)
.then(success => {
req.password = success;
})
.catch(err => {
if (err) console.log(err);
});
});
User.create({
username: username,
password: password
}).then(function(data) {
UserDetails.create({
username: req.body.username,
name: req.body.name,
dob: req.body.dob,
phone: req.body.phone,
gender: req.body.gender,
address: req.body.address,
country: req.body.country,
}).then(function(data) {
UserAccounts.create({
username: username
}).then(function(data) {
return done(null, data);
}).catch(function(error) {
return done(error.message);
});
}).catch(function(error) {
return done(error.message);
});
}).catch(function(error) {
return done(error.message);
});
})
}
));
// Passport Jwt strategy
passport.use('jwt', new JwtStrategy(opts, function(jwt_payload, done) {
console.log('jwt', jwt_payload);
UserDetails.findOne({
where: {
id: jwt_payload.id
}
})
.then(function(user) {
return done(null, user.id);
})
.catch(function(err) {
return done(err, false);
});
}));
// Use sessions for twitterStrategy Oauth1 authorizations.
passport.serializeUser(function(user, cb) {
console.log('user', user)
cb(null, user);
});
passport.deserializeUser(function(obj, cb) {
console.log('obj', obj)
cb(null, obj);
});
// Configure the Twitter strategy for use by Passport.
//
// OAuth 1.0-based strategies require a `verify` function which receives the
// credentials (`token` and `tokenSecret`) for accessing the Twitter API on the
// user's behalf, along with the user's profile. The function must invoke `cb`
// with a user object, which will be set at `req.user` in route handlers after
// authentication.
passport.use('twitter-authz', new StrategyTwitter({
consumerKey: config.keys.twitter.consumerKey,
consumerSecret: config.keys.twitter.consumerSecret,
callbackURL: process.env.CALLBACK_URL_TWITTER || 'http://120.0.0.1:8000/#/dashboard/user'
},
function(token, tokenSecret, profile, cb) {
process.nextTick(function() {
// In this example, the user's Twitter profile is supplied as the user
// record. In a production-quality application, the Twitter profile should
// be associated with a user record in the application's database, which
// allows for account linking and authentication with other identity
// providers.
console.log(token, tokenSecret, profile);
return cb(null, profile);
})
}));
// Initialize Passport and restore authentication state, if any, from the
// session.
app.use(passport.initialize());
// Session for twitterStrategy
app.use(session({
secret: config.secretKey,
resave: false,
saveUninitialized: false
}));
}
function encryptPass(pass) {
return new Promise((resolve, reject) => {
bcrypt.hash(pass, null, null, function(err, hash) {
if (err) {
return reject(err);
};
return resolve(hash);
})
})
}
And my router settings:
const AuthControllerPolicy = require('./controllers/policies/AuthControllerPolicy.js')
const AuthController = require('./controllers/AuthController.js')
const passport = require('passport');
module.exports = (app) => {
app.post('/auth/twitter',
passport.authenticate('jwt', { session: false }),
passport.authorize('twitter-authz', { session: false }),
AuthController.authTwitter)
}
Answer found here: Axios and twitter API
Looks like Twitter would not allow CORS request and it must be done only from the server-side.

Passport.authenticate not sending a response

I'm using Passport for authentication, specifically with a JWT strategy. I'm able to create a new token when a user is created, however, when I use that token in the header of a request to a route that requires authentication, my request just hangs up. I'm using Postman to test these POST/GET requests.
Here's my initial configuration for signing up a user:
const User = require('../db/models/User');
const jwt = require('jsonwebtoken');
function userToken(user) {
return jwt.sign({
id: user.id,
}, process.env.JWT_SECRET);
}
exports.signup = function(req, res, next) {
const email = req.body.email.toLowerCase();
const password = req.body.password.toLowerCase();
User.findOne({
where: { email },
}).then(function(user) {
if (!user) {
User.create({
email,
password,
})
.then(function(user) {
return res.send({ token: userToken(user) });
});
}
if (user) {
return res.send({ message: 'That user is in use' });
}
});
};
Here's my passport configuration:
const passport = require('passport');
const JwtStrategy = require('passport-jwt').Strategy;
const ExtractJwt = require('passport-jwt').ExtractJwt;
const User = require('../db/models/User');
const jwtOptions = {
jwtFromRequest: ExtractJwt.fromHeader('authorization'),
secretOrKey: process.env.JWT_SECRET,
};
const jwtLogin = new JwtStrategy(jwtOptions, function(payload, done) {
User.findOne({
where: { id: payload.id },
}, function(err, user) {
if (err) { return done(err, false); }
if (user) { return done(null, user); }
return done(null, false);
});
});
passport.use(jwtLogin);
Here's what my protected route looks like:
const passport = require('passport');
const requireAuth = passport.authenticate('jwt', { session: false });
module.exports = function router(app) {
app.get('/', requireAuth, function(req, res) {
res.send({ 'hi': 'there' });
});
};
Here's what I see in my terminal:
Executing (default): SELECT "id", "username", "email", "password", "photo", "createdAt", "updatedAt" FROM "users" AS "user" WHERE "user"."id" = 15;
So I know that it's correctly querying for a user id and searching for it, however, it just hangs up at this point, rather than serving me a response.
Not sure what the issue is, so any and all suggestions are welcomed and appreciated. Thank you!
Realized that because I am using Sequelize, it handles errors with a catch like so:
...
const jwtLogin = new JwtStrategy(jwtOptions, function(payload, done) {
User.findOne({
where: { id: payload.id }
})
.then(user => {
if (user) {
done(null, user);
} else {
done(null, false);
}
})
.catch(err => {
if (err) { return done(err, false); }
});
});
...
This solved my issue and is returning my response.

How to configure and package passport as a one module?

I test my routes in Advanced Rest Client, and with my code the output is 401, Unauthorized. I don't understand why this is happening.
I packaged my authentication in one module. Then, I invoke it in my server file with wagner-core(dependency injector):
wagner.invoke(require('./passport-init'),{ app: app })
passport.js:
'use strict'
const bCrypt = require('bcryptjs')
const passport = require('passport')
const LocalStrategy = require('passport-local').Strategy
const session = require('express-session')
module.exports = (User, app) => {
passport.serializeUser((user, done) => {
done(null, user._id)
})
passport.deserializeUser((id, done) => {
User.findOne({ _id: id }).exec(done)
})
passport.use('login', new LocalStrategy({ passReqToCallback: true }, (req, username, password, done) => {
User.findOne({ username: username }, (err, user) => {
if (err) { return done(err) }
if (!user) { return done(null, false, { message: 'Invalid username' }) }
if (!isValidPassword(user, password)) {
return done(null, false, { message: 'Invalid password' })
}
return done(null, user)
})
}))
app.use(session({
secret: process.env.SESSION_SECRET || 'secret',
resave: false,
saveUninitialized: false
}))
app.use(passport.initialize())
app.use(passport.session())
app.post('/login', passport.authenticate('login'), (req, res) => {
res.redirect('/users/' + req.user.username)
})
}
function isValidPassword (user, password) {
return bCrypt.compareSync(password, user.password)
}
I figured it out. It was something to do with my routes, and isValidpassword function.
Heres the amended code:
'use strict'
const bCrypt = require('bcryptjs')
const passport = require('passport')
const LocalStrategy = require('passport-local').Strategy
const session = require('express-session')
module.exports = (User, app) => {
passport.serializeUser((user, done) => {
done(null, user._id)
})
passport.deserializeUser((id, done) => {
User.findById(id, (err, user) => {
done(err, user)
})
})
passport.use('login', new LocalStrategy({ passReqToCallback: true }, (req, username, password, done) => {
process.nextTick(() => {
User.findOne({ username: username }, (err, user) => {
if (err) { return done(err) }
if (!user) { return done(null, false, { message: 'Invalid username' }) }
if (!user.password) {
bCrypt.compareSync(password, user.password)
return done(null, false, { message: 'Invalid password' })
}
return done(null, user)
})
})
}))
passport.use('signup', new LocalStrategy({ passReqToCallback: true }, (req, username, password, done) => {
process.nextTick(() => {
User.findOne({ username: username }, (err, user) => {
if (err) { return done(err) }
if (user) {
return done(null, false, { message: 'User already exists' })
} else {
let newUser = new User()
newUser.username = req.body.username
newUser.password = createHash(req.body.password)
newUser.save((err) => {
if (err) throw err
return done(null, newUser)
})
}
})
})
}))
app.use(session({
secret: 'secret',
resave: false,
saveUninitialized: false
}))
app.use(passport.initialize())
app.use(passport.session())
app.get('/success', (req, res) => {
res.send({ state: 'success', user: req.user ? req.user : null })
})
app.post('/login', passport.authenticate('login', {
successRedirect: '/success',
failureRedirect: '/fail'
}))
app.post('/signup', passport.authenticate('signup', {
successRedirect: '/success',
failureRedirect: '/fail'
}))
}
function createHash (password) {
return bCrypt.hashSync(password, bCrypt.genSaltSync(10), null)
}

Resources