I have a Node.js express passport joi restful api. When trying to access the routes ... is it better to first validated the inputs (body or query) or check passport requirements?
So this:
router.route('/signup')
.post(validateBody(schemas.signupSchema), passportSignup, controllerSignup.signup);
router.route('/login')
.post(validateBody(schemas.loginSchema), passportLogin, controllerLogin.login);
router.route('/search')
.get(validateQuery(schemas.searchSchema), passportJWT, controllerSearch.search);
... or this?
router.route('/signup')
.post(passportSignup, validateBody(schemas.signupSchema), controllerSignup.signup);
router.route('/login')
.post(passportLogin, validateBody(schemas.loginSchema), controllerLogin.login);
router.route('/search')
.get(passportJWT, validateQuery(schemas.searchSchema), controllerSearch.search);
Which version is preferred?
It doesn't really matter as, both of them are middlewares, doesn't matter which one fails first. But, doing passport authentication first is a better idea cause, why even process the data if the user isn't correctly authenticated.
Related
So I replaced ExpressJS with Fastify, but my problem is Nest-Passport doesn't support fastify, do we have an alternative for Nest-Passport? or any solutions on how to secure RestAPI in nestJS using a token?
I dont kown if this is the correct manner. But if I change the default jwt extractor
ExtractJwt.fromAuthHeaderAsBearerToken
(described within the doc ) by a custom one it works.
const fromFastifyAuthHeaderAsBearerToken = (request: FastifyRequest): string => {
const auth = request.headers['authorization'];
const token = auth?.split(' ')[1];
return token;
}
There's no immediate Fastify NestJJS authentication package I'm aware of (I'm sure there's something out there), but I do have a sample of JWT authentication with Fastify and NestJS without Passport. The idea is to make use of Nest's #nestjs/jwt package or just jsonwebtoken directly, and create the auth tokens with that instead of delegating to Passport. This is actually the kind of approach I prefer, as I find Passport to be a bit too mystical sometimes.
I am trying to use the jwt express middleware as well as the postgraphile middleware together, and I want to add an exception for having an auth token to the graphiql interface. I know that postgraphile starts up graphql on /graphql and graphiql on /graphiql unless otherwise configured. So in my jwt middleware init I am doing this:
app.use(jwt({ secret: process.env.JWT_SECRET}).unless({path: ['/', /\/graphiql/i, /\/graphql/i, /auth/i]}));
Which makes it so /graphiql, /graphql, and /auth routes do not require an auth token. This appears to work fine because I can get to the graphiql interface just fine, and the graphql queries I'm building are working just fine. However, in my express terminal, there is still something that it's trying to connect to that is throwing a No authorization token found when I load http://localhost:3000/graphiql
Any thoughts on what else it might be trying to hit that I will also have to add to the unless() method in the JWT middleware?
PostGraphile currently loads the GraphiQL assets (JS, CSS) from /_postgraphile/*, so you probably want to whitelist those assets.
Another approach is to mount postgraphile before you add the jwt middleware - that way it will be unaffected by it and you won't need to maintain a .unless list.
app.use(postgraphile(...));
app.use(jwt(...));
app.use(...);
I am trying to implement the passport local authentication in my backend. It is a todo app which is built with the help of the MEAN stack. Unfortunately, I am facing some problems implementing it. The folder structure is
In Controllers folder, the controllers for the various routes are present.
In routes folder, the file "api.route.js" contains the main route. I want to implement authentication here such that no further routes can be accessed if the user is not autheticated.
In the api subfolder, the different routes are configured.
In the config subfolder, the passport local strategy is defined.
Another new problem I have noticed is that the routes after todo are not detected.
Example : localhost:3000/api/todos
localhost :3000/api/todos/login
route does not work. It says Error 404. Every other sub routes are the same. Any help which will help me to implement will be appreciated. The github profile for this project is :
https://github.com/AritraWork97/TODO-FULLSTACK
The main folder is Todo Backend, it contains the backend code
To, protect routes in back-end I think express-jwt will be handy.
Initialize it like this,
const jwt = require("express-jwt");
const auth = jwt({secret: jwt_secret});
Then put the auth middleware before a route that you want to protect.
router.get("/secret/:uid", auth, profileCtrl.secret);
I really don't understand, why it is so complex to build authentication and persisting in session with Node.js.
I'm having trouble with session persistance, that is described here.
Maybe, I something don't understand...
So, in an SPA, when a browser making fetch with POST method from UI, Passport authenticates and saves session in DB (as I've setup).
What's next?
How to tell React front-end (browser, server…), that It should apply newly created cookie and use it for all subsequent requests for HMR, GraphQL and other stuff?
What I have is all subsequent requests to server referring old cookie (not created one on successful authentication) and that correct one will never looked up…
Some explanation will be greatly appreciated.
Thank You.
PS: Still looking for simple working examples of authentication with latest Next.js, Express and Passport. I'm stuck with this problem on a week…
You can make a request to the endpoint of express which is going to return you the information... for this you can use Axios, when it response you can set the cookie with something like this:
document.cookie = `id_token=${token}; expires=Thu, 18 Dec 2020 12:00:00 UTC`
In my case I set a token because I use JWT, when the cookie is set, you can request it on the server side using cookie-parser, so, when you are going to verify is the user is logged you can check if the cookie exists on the server (Next.js) and render the template, otherwise you can redirect to other view... something like this:
server.get('/profile', (req, res) => {
const actualPage = '/profile';
const logged = req.cookies['id_token']
if (logged) {
return app.render(req, res, actualPage)
}
return res.redirect('/')
})
If you want to see the complete example, check this repo
I'm working with mean.js, and I have a little doubt about authentication and authorization here...
MEAN.js come with a out of the box passport.js implementation that seems to be working good enough for me just to know when a user is logged in. But at the moment of authorization some question pop up in my mind.. doing my research I reach some answers and I don’t know what is the best way of implementing security API calls in my app.
So far, I'm taking this solution:
Using express.all() function to set in one file all my authorization functions ( I guess it is a good practice right ? ).. creating a file with the following code example:
'use strict';
var passport = require('passport');
module.exports = function(app) {
app.route('/private/p/*').all(function(req, res, next){
if(!req.isAuthenticated()){
res.send(401);
}else{
next();
}
});
app.route('/private/byRoles/*').all(function(req, res, next){
if(!req.isAuthenticated()){
res.send(401);
}else{
var urlRoles = ['admin', 'godlike'];
// ROLE LOGICS THAT ARE GOING TO BE ADDED TO MY USER
// GETTING MY USER ID BY THE DE-SERIALIZE PASSPORT FUNCTION AND GETTING MY
// MONGO MODEL FOR MY USER, WITH THE INFO OF ROLES IN THERE AND DOING
// SOME LOGICS HERE ABOUT THE ROLES AND URL PATTERN.
if ( hasRole(urlRoles, user.roles)){
next();
}else{
res.send(401);
}
}
});
};
So far this is the solution that I'm planning to implement, but I would like to be sure of what I'm doing here... is there a better way of implementing authorization in mean.js ? Is this authorization middle-ware wrong implemented with passport? I don't sure if is necessary to implement another strategy to this.. or if this implementation has a security lack ( sure it has to ).. is better to use Oauth or using api token ??? what should be the architecture to secure an app made in MEAN.js supporting roles and permissions ?? also in the future I would need to secure my socket.. I was looking at passport-socketio.. but not sure if is there a better solution.
I use JWT's for my angular apps. There are many articles out there about the benefits for using tokens instead of sessions or cookies Cookies vs Tokens. Getting auth right with Angular.JS.
You can do everything you want with JWT, roles for backend and frontend, securing sockets is also possible and there are packages for this functionality. You do not need passport if you using tokens. You check the the credentials one time and store the token in the browsers local storage. There are many packages for express and JWT Express-JWT
For a closer look at JWT jwt.io