When my users sign up, I want them to have a user name as well. In the user schema, there is a username field that is required and unique. However, when a user registers with Facebook through passport, this field can't be entered, so it throws me an error.
The only solution I came up with was assigning them a random username at signup and then asking them for a real one after, but that doesn't seem like the best idea.
What can I do?
Based on what I am hearing you want to store the username with your facebook info.
You need to add add passReqToCallback: true
passport.use(new FacebookStrategy({
consumerKey: FACEBOOK_CONSUMER_KEY,
consumerSecret: FACEBOOK_CONSUMER_SECRET,
callbackURL: "http://www.example.com/auth/twitter/callback",
passReqToCallback: true
},
function(req, token, tokenSecret, profile, done) {
...
Store in database
}
));
the user info would be stored in the req.body object
Related
I'm rewriting an authentication system to be OAuth only with Passport JS. I've designed a user flow as described below, but I can't see where the best point to get Passport to interact with information from the original request is.
The flow will be:
Authenticated user sends invitation to a new user's email address
New user clicks on link and lands on invitation page (/invitation/SOMECODE)
Invitation code is verified and, if still valid, allows user to auth via Google/Slack
New profile is created in the Strategy, but associated with the existing company (instead of creating a new one)
I'm looking to get access to the req.params inside of the Google Strategy, because this is the point I would typically create a new profile, and company for first time users. But if there's an invitation code, I want to do lookups on that info at this point.
I can't see any documentation that supports this approach, other than Node Passport invitation strategy which uses a password after initial sign up.
Can you get access to req object inside the strategy or is there a better way to approach this with another middleware?
I think what you're looking for is passReqToCallback
Example from docs:
passport.use(new TwitterStrategy({
consumerKey: TWITTER_CONSUMER_KEY,
consumerSecret: TWITTER_CONSUMER_SECRET,
callbackURL: "http://www.example.com/auth/twitter/callback",
passReqToCallback: true
},
function(req, token, tokenSecret, profile, done) {
if (!req.user) {
// Not logged-in. Authenticate based on Twitter account.
} else {
// Logged in. Associate Twitter account with user. Preserve the login
// state by supplying the existing user after association.
// return done(null, req.user);
}
}
));
See passReqToCallback in the docs: http://passportjs.org/docs/authorize
I can't find any documentation on using google oauth and google apis which I understand. At the moment, I am doing this, but it is not a complete guide: https://developers.google.com/identity/sign-in/web/server-side-flow
What I am trying to do:
I have a node based app, with a simple JS frontend.
It needs a google login.
When a user logs in, it creates a username for them on my server.
It stores some google token somehow under this user on my server.
Somehow give a service level access to my backend.
This backend can then make changes and read calendar info whenever needed, without user interaction.
At the moment I have a google login which returns an auth code like this: localhost:8000/?code=123. I don't know what to do with that auth code. Documentation is only provided for Java and Python unfortunately.
The next thing is to get the auth tokens (somehow) then figure out how to give my service account access.
Anyone know how?
Have you had a look at PassportJS? It has a very solid implementation for Google
I have done something similar for Facebook and will paste it here in case it helps:
So firstly, I added the below into my node app:
var passport = require('passport');
var FacebookStrategy = require('passport-facebook').Strategy;
Then, the below:
app.use(passport.initialize());
app.use(passport.session());
Then, the below:
passport.serializeUser(function(user, done){
done(null, user.id);
});
passport.deserializeUser(function(id, done){
userModel.findById(id, function(err, user){
done(err, user);
});
});
passport.use(new FacebookStrategy({
clientID: config.facebook.appID,
clientSecret: config.facebook.appSecret,
callbackURL: config.facebook.callbackURL,
profileFields: ['id', 'displayName', 'photos', 'emails', 'birthday', 'location', 'bio', 'likes.limit(100)']
},
function(accessToken, refreshToken, profile, done){
//Do whatever I want
}
)
);
I won't explain all this but - see if it helps you with your Google apps integration. Good luck!
I am currently trying to setup my server to allow users to login with google oauth 2.0.
I am using passport and passport-google-oauth.
Normal set up is something like:
var GoogleStrategy = require('passport-google-oauth').OAuth2Strategy;
passport.use(new GoogleStrategy({
clientID: GOOGLE_CLIENT_ID,
clientSecret: GOOGLE_CLIENT_SECRET,
callbackURL: "http://127.0.0.1:3000/auth/google/callback"
},
function(accessToken, refreshToken, profile, done) {
User.findOrCreate({ googleId: profile.id }, function (err, user) {
return done(err, user);
});
}
));
However what I really want is to still control access to my server after accounts are approved.
Meaning a user would first 'create' and account using google, then be able to signin once there account is approved.
I would really like there to be a signup route and login route:
app.get('/auth/google/signup',
passport.authenticate('google', { scope: ['profile', 'email'] }));
app.get('/auth/google',
passport.authenticate('google', { scope: 'https://www.googleapis.com/auth/plus.login' }));
app.get('/auth/google/callback',
passport.authenticate('google', { failureRedirect: '/login' }),
function(req, res) {
// Successful authentication, redirect home.
res.redirect('/');
});
My problem is that when I get to the GoogleStrategy setup I don't really know which route they initially hit. IE if they hit the login route but had not created an account I do not want to create an account I want to warn them that they did not yet create an account. Had they hit the signup route and already had an account I would not want to create another account I would just tell them they already have an account.
Is there anyway in the GoogleStrategy that I can tell which route the user initially hit on my server?
In your user model create the "approved" field, with default False (Boolean)
And you can check this field on the GoogleStrategy to restrict the access.
If you want to apply this on all Strategies you can filter on the serialization method in passport.
Hope it helps.
You can pass a 'state' query parameter in your initial request that will be round-tripped back to your callback.
Documented here:
https://developers.google.com/identity/protocols/OAuth2WebServer
state
Any string Provides any state that might be useful to your
application upon receipt of the response. The Google Authorization
Server roundtrips this parameter, so your application receives the
same value it sent. To mitigate against cross-site request forgery
(CSRF), it is strongly recommended to include an anti-forgery token in
the state, and confirm it in the response. See OpenID Connect for an
example of how to do this.
Hey I am trying to work out where the bearer token is in a mean.io project.
I am using the default project which has Oauth enabled by default (have put the api keys in) and I can successfully log in.
How is passport storing the bearer token so I can authenticate my API calls? What is the best way to access it?
The token that is returned by the OAuth authentication is discarded by MEAN. See https://github.com/linnovate/mean/blob/v0.4.4/packages/users/passport.js:
passport.use(new FacebookStrategy({
clientID: config.facebook.clientID,
clientSecret: config.facebook.clientSecret,
callbackURL: config.facebook.callbackURL
},
function(accessToken, refreshToken, profile, done) {
// accessToken and refreshToken not used, not stored.
});
}
));
You could provide your own strategies to override this behavior, or try to raise the issue with MEAN. I see you already made a ticket. I'm afraid this may be a security consideration on their part, as there is no risk of losing the tokens if they are not stored.
I'm trying to find out how Facebook authentication works when using passport-facebook with node/express.
I'm confused about the callbackURL and the function that follows below.
Can someone explain to me what the difference is between setting a callbackURL (is this where a successful login attempt end up? and the function(accessToken, ...) which also seems to be invoked after logging in.
passport.use(new FacebookStrategy({
clientID: FACEBOOK_APP_ID,
clientSecret: FACEBOOK_APP_SECRET,
callbackURL: "http://localhost:3000/auth/facebook/callback"
},
function(accessToken, refreshToken, profile, done) {
User.findOrCreate({ facebookId: profile.id }, function (err, user) {
return done(err, user);
});
}
));
callbackURL is a URL that facebook's web servers themselves will use at the end of the process. Facebook's servers will send a 301 redirect response causing the user's browser to navigate to this URL. So this is essentially a configuration option you are sending to facebook itself, and passport.js is handling the specifics of when and where to send it. When the whole oauth dance is done, the callback function is a way for passport to give control back to your code and say "hey, look it worked. Here's the goodies on the logged-in user", so you can do your findOrCreate. The details inside that function typically vary per-application whereas the oauth dance is always the same. So that's why passport uses a function callback there. It allows you a hook for application-specific or custom logic.