I'm using passport to authenticate using Google API, I'm sending a token by URL to the client (React app) which saves it in the localStorage.
I want to use that token : With every API call (get, post, put) I want to send that token to the server , but I didn't know how to verify that token on the server side.
Passport Startegy :
app.use(passport.initialize()); // Used to initialize passport
app.use(passport.session()); // Used to persist login sessions
passport.use(new GoogleStrategy({
clientID: 'IDxxxxx',
clientSecret: 'SecreXXX',
callbackURL: 'http://localhost:3000/callback'
},
(accessToken, refreshToken, profile, done) => {
// Directory API here
var userData = {
name: profile.displayName,
token: accessToken
};
done(null, userData);
Authentication :
app.get('/auth/google', passport.authenticate('google', {
scope: ['profile'] // Used to specify the required data
}));
// The middleware receives the data from Google and runs the function on Strategy config
app.get('/callback', passport.authenticate('google'), (req, res) => {
var token = req.user.token;
res.redirect("http://localhost:8000?token=" + token);
});
API in express (which contains CRUD methods) :
app.use('/api', movieRouter)
In react side : Getting the token
componentWillMount() {
var query = queryString.parse(this.props.location.search);
if (query.token) {
window.localStorage.setItem("jwt", query.token);
// appel a directory api (avec token) puis sauvergarder dans redux puis redirection vers liste demandes
this.props.history.push("/");
}
}
Doing API calls :
import axios from 'axios'
const api = axios.create({
baseURL: 'http://localhost:3000/api',
})
export const insertMovie = payload => api.post(`/movie`, payload)
I just need to send the token in every call and check it in the server side.
Thanks
You want to set the token in a header most likely, try changing your axios client to something like
const api = axios.create({
baseURL: 'http://localhost:3000/api',
headers: {
Authorization: `Bearer ${your_token_here}`
}
})
I'm not 100% sure if this is the correct header form that passport will be expecting, but it's the general idea you need to do.
If the token is correctly set in the header, session, or cookie by the client as noted by Bill Metcalf, then express is able to authenticate a route/endpoint by adding the passport.authenticate middleware function to the route, like so
app.use('/api', passport.authenticate('google', {failureRedirect:'/login'}), movieRouter)
Refer to http://www.passportjs.org/docs/google/ for more information
For every API that you want to verify the token, you can pass a verify token function (which I call 'isCorrectToken') before taking action like this:
router.get("/api", isCorrectToken, (req, res) => {
// your api content })
And then, this is our isCorrectToken function:
const isCorrectToken = (req, res, next) => {
const token = req.headers.authorization;
if(token){
const onlyToken = token.slice(7, token.length);
jwt.verify(onlyToken, accessToken, (err, decode) => {
if(err) return res.status(401).send({ msg: 'Invalid Token' });
req.user = decode;
next();
return;
});
}
else return res.status(401).send({ msg: 'Token is not supplied'});}
The number 7 is the length of 'Bearer ' (from Bill Metcalf's answer above).
Related
My goal is to create an authentication backend and I would like to implement google's Oauth2, and for that I decided to follow the passport documentation. My only issue is, how can I test this on my Postman? I'm just developing a backend and I don't know if it's working, I know it sounds a little silly but for a beginner like me it's a lot. Thanks
const dotenv = require('dotenv').config();
const express = require('express');
const passport = require('passport');
var GoogleStrategy = require('passport-google-oauth20').Strategy;
const app = express();
const port = process.env.PORT;
passport.use(new GoogleStrategy({
clientID: process.env.GOOGLE_CLIENT_ID,
clientSecret: process.env.GOOGLE_CLIENT_SECRET,
callbackURL: "http://www.example.com/auth/google/callback"
},
function(accessToken, refreshToken, profile, cb) {
User.findOrCreate({ googleId: profile.id }, function (err, user) {
return cb(err, user);
});
}
));
app.get('/auth/google',
passport.authenticate('google', { scope: ['profile'] }));
app.get('/auth/google/callback',
passport.authenticate('google', { failureRedirect: '/login' }),
function(req, res) {
res.redirect('/');
});
try {
app.listen(port);
console.log(`Server starting on port ${port}`);
} catch (err) {
console.log(err);
}
Whichever OAuth2 service is pretty simply, if you step into it ;)
In first step you send client_id and client_secret to authorization uri.
In second step, the user authenticates with his credentials and you receive the code which you exchange with authorization server for token.
You make request with Bearer token.
Postman can handle some of the things for you. So:
In Google Dev Console create your credentials.
As callback uri fill in:
https://www.getpostman.com/oauth2/callback
https://oauth.pstmn.io/v1/callback
In Postman create new Collection and define following variables:
Define following Authorization:
When you click Get New Access Token you will be asked to login to Google and get back with token.
With this token you can use whichever service you have in scope and your project on Developer Console includes (look for Enabled APIs and services).
Example request:
Create new GET request and save it in your collection, so the variables and tokens are inherited.
URL is: https://www.googleapis.com/oauth2/v1/userinfo?alt=json
Auth in Postman: Inherit auth from parent.
And Send...
Took me months to understand, so hope you'll be swifter :)
I am developing a nodejs application in which I want to use Microsoft AD oath2 flow. I looked into Microsoft's official documentation here and found that they list two libraries -
msal-node
passport-azure-ad
I need help selecting the library which will best serve my needs. I need to -
perform authentication
protect some apis via token verification
expose all the apis so that they can be tested externally
call external web apis within my app
Also, the documentation says that "Acces web apis" is not possible with passport-azure-ad. What do they mean by this?
I've used passport-azure-ad to handle Azure SSO in a complex login service which involved many different authentication protocols.
It worked perfectly fine to establish the client credential flow, in which the session is managed by the back-end.
The msal-node library is better to implement an implicit flow, in which an SPA gains access to a token which can then be used to obtain data from the identity provider.
Another way around it would be to use passport-azure-ad to handle the login, and then tie that in to a custom JWT generation system.
That would end up looking something like this:
const passport = require('passport');
const OIDCStrategy = require('passport-azure-ad').OIDCStrategy;
const Token = require('Token.js');
settings = {
azureDirectoryId: '',
azureClientId: '',
azureClientSecret: '',
callbackUrl: 'https://example.com/auth/callback',
}
passport.use(new OIDCStrategy(
{
identityMetadata: `https://login.microsoftonline.com/${settings.azureDirectoryId}/.well-known/openid-configuration`,
clientID: settings.azureClientId,
responseType: 'code id_token',
responseMode: 'form_post',
redirectUrl: settings.callbackUrl,
clientSecret: settings.azureClientSecret,
// ...additional settings if needed
},
(req, iss, sub, profile, accessToken, refreshToken, done) => {
process.nextTick(async () => {
profile.accessToken = accessToken;
profile.refreshToken = refreshToken;
profile.token = Token.generate(profile);
done(null, profile);
});
},
));
router.get('/auth/login', (req, res, next) => {
passport.authenticate('azuread-openidconnect', {
response: res,
resourceURL: null,
customState: Math.random().toString(36).substr(2, 10),
failureRedirect: '/failure',
})(req, res, next);
});
router.use('/auth/callback', (req, res, next) => {
passport.authenticate('azuread-openidconnect', {
response: res,
successRedirect: '/success',
failureRedirect: '/failure',
})(req, res, next);
});
router.get('/auth/success', (req, res, next) => {
if (req.user.token) {
res.cookie('token', req.user.token);
return res.redirect('https://example.com');
}
failure(req, res);
});
const failure = (req, res) => {
req.session.destroy(() => {
res.clearCookie('token', cookieSettings);
res.redirect('https://example.com');
});
};
router.get('/auth/failure', failure);
This way, sending the user to https://example.com/auth/login would start off the process of authentication via passport. Once completed, you'd generate a JWT with the information returned from the identity provider (Token.generate(profile);), store that token as a cookie, and redirect the user back to the homepage.
Dears,
there are a lot of examples around passport google, but there should be something I missed. I know my question might be marked as "possible duplicate", but sorry I can't find the answer, or none of them are fixing my issue.
the user clicks a href link on the client (running on https://localhost:3000), calling the googleauth route on the server (running on https://localhost).
On server side, passport process is running well, the callbackUrl is on the server side at /googleauth/redirect.
Then in this callback, I can hardcoded the redirect to 'https://localhost:3000'. that works fine.
But I don't want this. I want the server to catch the initial url from the client (so https://localhost:3000), keep it in the session and then use this information in the redirect.
In the google auth route, I set the toRedirect variable into the session thanks a middleware, before calling the passport.authenticate.
googleRouter.get('/', (req, res, next) => {
if (!req.session.toRedirect) req.session.toRedirect = req.socket.remoteAddress;
next();
}, Auth.passport.authenticate('google', {
scope: ['profile', 'email', 'https://mail.google.com/'],
accessType: 'offline',
prompt: 'consent',
session: false // <-- whatever true or false, same issue
})
);
However once the google process is complete (choose the google account and confirm the acces to user data), the sessionID is different in the callback, therefore the url to redirect is undefined... And of course the remote address is no longer the client one, but the google authentification APIs one...
googleRouter.get('/redirect', Auth.passport.authenticate('google', { session: false }), (req, res) => {
console.log(req.session.toRedirect, req.sessionID, req.socket.remoteAddress) // <--- sessionID is different so req.session.toRedirect is undefined
res.redirect('https://localhost:3000'); /<--- hardocded here but I want res.redirect(req.session.toRedirect).
});
So guys, how did you send back the google auth results to your clients ?
Here is the code
apps.js
const passport = Auth.passport;
app.use(passport.initialize());
app.use(passport.session()); <-- whatever set or not, same issue
auth.js
const googleOptions = {
clientID: sds,
clientSecret: dsadd,
callbackURL: '/googleauth/redirect',
passReqToCallback: true
};
passport.use(new GoogleStrategy(googleOptions,
async (req, token, refreshToken, profile, done) => {
data = await Auth.helpers.signIn(req, null, 'google');
if (data && data.erreur == authErrors.NONE) {
// MAJ de la session et cookie
req.session.userId = data.user.id;
done(null, data.user);
};
));
googleroutes
googleRouter.get('/', (req, res, next) => {
if (!req.session.toRedirect) req.session.toRedirect = req.socket.remoteAddress;
next();
}, Auth.passport.authenticate('google', {
scope: ['profile', 'email', 'https://mail.google.com/'],
accessType: 'offline',
prompt: 'consent',
session: false
})
);
// callback route pour redirect google
googleRouter.get('/redirect', Auth.passport.authenticate('google', { session: false }), (req, res) => {
console.log(req.session.toRedirect, req.sessionID, req.socket.remoteAddress)
res.redirect('https://localhost:3000');
});
I'm new to NodeJS and developing an API using it,
I want the API to be authenticated with an API token method (only people with a token stored in DB, created through a specific encryption should be able to access the API resource.)
I'm using an SQL server, NodeJS, and the Express framework.
Please guide me in what I should use to authenticate the API request.
Thanks in advance.
You could use passport.js with JwtStrategy. This is the idea:
mypassport.js
const JwtStrategy = require('passport-jwt').Strategy;
const ExtractJwt = require('passport-jwt').ExtractJwt;
const opts = {
jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
secretOrKey: 'yourSecret'
};
passport.use(new JwtStrategy(opts, (payload, done) => {
const user = findUserById(payload.id);
if (!user) {
return done('user not exists', null);
}
return done(null, user);
}));
server.js (using express)
require('./mypassport'); // <- initialize passport strategies
//you could also use passport with local strategy for this
app.post('login', (req, res) => {
const username = req.query.username;
const password = req.query.password;
if (validLogin(username, password)) {
const user = findUserByUsername(username);
const jwt = createTokenWithSecret(user, 'yourSecret'); // You can use jwt-simple for this
res.json({ token: jwt });
} else {
//send unauthorized
}
});
const requireLogin = passport.authenticate('jwt');
app.get('/something', requireLogin, (req, res) => {
//here, user is authenticated and available in 'req.user'
});
First, you must login with POST /login { username: 'john', password: '1234' }. That will return a JSON with the jwt token like this:
{ token: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c' }
In subsequent requests, you must send a header Authorization with value: Bearer {token} so passportjs and JwtStrategy can authorize the request.
Hope it helps!
NOTE: I have not tested code above, it just shows the approach.
For API Authenication use Passport JS
You can use json web token (jwt) for API authorization. There are node modules available which provides authentication functionality and you can simply use.
Please have a look at this article: https://medium.freecodecamp.org/securing-node-js-restful-apis-with-json-web-tokens-9f811a92bb52?gi=89f3f4d89dfd
I am setting up a site with nodejs, express, mongoose and swig template following this tutorial :
Authenticate a Node.js API with JSON Web Tokens
In this tutorial the author uses Postman to set the token in the header.
I have googled for days to find out how I can set the jwt token in the header of my site, but it is not working for me.
If you want the client to include the token in it's request headers, you can use a cookie parser with express. (HTML5 Web Storage is another option). About Cookies:
Express can set the response headers to tell the client "add the token to a cookie".
Once the client sets the cookie with the token, the token will be in the client's request headers for each request. Let's get to baking with a little
npm install cookie-parser
Sprinkle on some
var cookieParser = require('cookie-parser')
app.use(cookieParser())
Access and set a cookie:
app.use(function (req, res, next) {
var cookie = req.cookies.jwtToken;
if (!cookie) {
res.cookie('jwtToken', theJwtTokenValue, { maxAge: 900000, httpOnly: true });
} else {
console.log('let's check that this is a valid cookie');
// send cookie along to the validation functions...
}
next();
});
You will probably want to do these things with the cookies (or whatever method you go with in the end):
set the cookie to hold the token when a user is authenticated.
check the cookie header value before allowing access to protected
routes.
send back an unauthorized status if a user doesn't have their token
when they are trying to access api routes that require a token.
May help someone in future...
Storing token in cookie with httpOnly:true flag is pretty secure from XSS attack but it can be vulnerable to CSRF attack.
Adding custom request headers for all routes in express using a middleware might be a feasible solution like that:
var token;
//asign 'accessToken' to 'token' in app.post('/login')
token=accessToken;
app.all('*' , (req, res, next) => {
if (!token) {
console.log('token: undefined');
} else {
req.headers.authorization = 'Bearer ' + token;
}
next();
});
this will add authorization=Bearer <token> header in each and every get request coming from browser. Now verify token in each secure route by adding this middleware:
let in app.get('/dashboard')
const authenticateToken=(req, res, next)=>{
var authHeader=req.headers['authorization'];
var token=authHeader && authHeader.split(' ')[1];
if(token==null){
return res.sendStatus(401);
}
jwt.verify(token, process.env.JWT_ACCESS_TOKEN, (err, user)=>{
if(err){
return res.sendStatus(403);
}
req.user=user;
next();
})
}
//in app.get(...)
app.get('/dashboard', authenticateToken ,()=>{
//stuff for authorized user
})
In case if you defined app.post('/login') in another file then,
export addHeader middleware as under:
//var to access token outside app.post('/login') route
var token;
app.post('/login' , (req , res)=>{
//authenticate the user
//create token
const accessToken=jwt.sign(user, secretKey);
//assign 'accessToken' to 'token' var
token=accessToken
//redirect to secure route
res.redirect('dashboard');
}
//middleware to add in your 'index.js' or 'app.js' file.
//export it only if you define app.post('/login') in another file
exports.addHeader = (req, res, next) => {
if (!token) {
console.log('token: undefined');
} else {
req.headers.authorization = 'Bearer ' + token;
}
next();
}
In index.js or app.js
//import file in which app.post('/login') is defined. let it is defined in controller/auth
const authController=require('./controller/auth');
//to add custom header in all routes
app.all('*', authController.addHeader);