Pass user info in routes from Passport strategies - node.js

I am trying to authenticate user using passportjs using express.
Passport.js looks like this.
var USER_INFO = {};
var FB_CALLBACK = 'http://localhost:3000/auth/facebook/callback';
module.exports = function(passport) {
passport.use(new FacebookStrategy({
clientID: FB_CLIENT_ID,
clientSecret: FB_CLIENT_SECRET,
callbackURL: FB_CALLBACK
},
function(accessToken, refreshToken, profile, done) {
process.nextTick(function() {
USER_INFO.id = profile.id;
});
}));
}
var express = require('express'); // call express
var app = express(); // define our app using express
var router = express.Router(); // get an instance of the express Route
var passport = require('passport');
USER_INFO = {};
require('./config/passport')(passport);
app.get('/auth/facebook', passport.authenticate('facebook'));
app.get('/auth/facebook/callback', passport.authenticate('facebook', {
successRedirect : '/fb',
failureRedirect : '/error'
}));
app.get('/fb', function (req, res) {
res.json(USER_INFO);
});
I want all the information extracted in res.json(user_info). But it is coming as empty. What I am missing here. What is the best method to save user basic info of user to keep him logged in.

Firstly, you should not store USER_INFO = {} outside the scope of your current request. If two separate users make a request then they'll get the same object.
You should at least store them in a way you can retrieve them separately
var USERS = {};
...
module.exports...
passport.use...
...
function(accessToken, refreshToken, profile, done) {
USERS[profile.id] = profile;
done(null, profile);
}));
Now if two separate users make a request they'll have their info separately stored within USERS
{
1234: {id: 1234, name: FOO},
6789: {id: 6789, name: BAR},
}
And done(null, profile) would serialize that user. If you haven't defined your serialize/deserialize functions you should do so like this:
passport.serializeUser(function (user, done) {
done(null, user.id);
});
passport.deserializeUser(function (id, done) {
var user = USERS[id];
done(null, user);
});
Now your users will be available within their respective request contexts as req.user
So you just need to do:
app.get('/fb', function (req, res) {
res.json(req.user);
});

You forgot call done() in process.nextTick().
var FB_CALLBACK = 'http://localhost:3000/auth/facebook/callback';
module.exports = function(passport) {
passport.use(new FacebookStrategy({
clientID: FB_CLIENT_ID,
clientSecret: FB_CLIENT_SECRET,
callbackURL: FB_CALLBACK
},
function(accessToken, refreshToken, profile, done) {
process.nextTick(function() {
var USER_INFO = {};
USER_INFO.id = profile.id;
done(USER_INFO)
});
}));
}
You can pass any object to done(), it will become req.user later in your route. In your case, the USER_INFO which you want to response is req.user
app.get('/fb', function (req, res) {
res.json(req.user);
});

Related

How to integrate Passport Google OAuth 2.0 with Passport JWT?

I'm currently working on my first MERN project, with Passport Local, Google OAuth 2.0 and JWT. All my routes are protected with passport.authenticate("jwt", { session: false }), (req, res) => {}). I know Google Strategy relies on Express session and here's where my issue starts.
I don't know if this is the correct approach, but I want to generate a JWT token from Google OAuth login to handle the user session with it and keep all my routes requests working properly. From the past issues opened here I've found this one to be the most recent and practical solution, but it seemed to me that it would introduce a new problem - since the local login already generates the JWT token, wouldn't it conflict with the request on the step 4 from the linked solution? If I'm thinking right, the token would be generated two times when using the standard login - one right at the authentication and another when reaching the app's home page, not to mention that it looks like the request to /auth/login/success will be made every time the home page is reached, which doesn't seem right to me.
So, what would be the best and cleaner way to approach this? I'd also like to validate everything on the server side and avoid appending the token to the URL, if possible. Anyway, here is my code:
passport.js
const GoogleStrategy = require("passport-google-oauth20").Strategy;
const JwtStrategy = require("passport-jwt").Strategy;
const User = require("../models/user.model");
require("dotenv").config();
module.exports = function (passport) {
// CONFIGURE STRATEGIES
// Local
passport.use(User.createStrategy());
// Google
passport.use(
new GoogleStrategy(
{
clientID: process.env.GOOGLE_CLIENT_ID,
clientSecret: process.env.GOOGLE_CLIENT_SECRET,
callbackURL: "http://localhost:5000/auth/google/movie-log",
},
function (accessToken, refreshToken, profile, cb) {
User.findOrCreate(
{ googleId: profile.id },
{ first_name: profile.displayName, email: profile._json.email },
function (err, user) {
return cb(err, user);
}
);
}
)
);
// JWT
const cookieExtractor = (req) => {
let token = null;
if (req && req.cookies) {
token = req.cookies["access_token"];
}
return token;
};
passport.use(
new JwtStrategy(
{
jwtFromRequest: cookieExtractor,
secretOrKey: process.env.SECRET,
},
(payload, done) => {
User.findById(payload.sub, (err, user) => {
if (err) {
return done(err, false);
}
if (user) {
return done(null, user);
} else {
return done(null, false);
}
});
}
)
);
// CONFIGURE AUTHENTICATED SESSION PERSISTENCE
passport.serializeUser(function (user, done) {
done(null, user.id);
});
passport.deserializeUser(function (id, done) {
User.findById(id, function (err, user) {
done(err, user);
});
});
};
auth.js (for Google authentication)
const express = require("express");
const passport = require("passport");
const router = express.Router();
const login = "http://localhost:3000/login";
const diary = "http://localhost:3000/diary";
router.get(
"/google",
passport.authenticate("google", {
scope: ["email", "profile"],
})
);
router.get(
"/google/movie-log",
passport.authenticate("google", {
successRedirect: diary,
failureRedirect: login,
})
);
module.exports = router;
login.js (for local authentication)
const express = require("express");
const passport = require("passport");
const JWT = require("jsonwebtoken");
const router = express.Router();
const signToken = (userID) => {
return JWT.sign(
{
iss: "Movie.log",
sub: userID,
},
process.env.SECRET,
{ expiresIn: "1h" }
);
};
router
.route("/")
.post(passport.authenticate("local", { session: false }), (req, res) => {
if (req.isAuthenticated()) {
const { _id, first_name } = req.user;
const token = signToken(_id);
res.cookie("access_token", token, { httpOnly: true, sameSite: true });
res.status(200).json({
isAuthenticated: true,
user: first_name
});
}
});
module.exports = router;

Express Passportjs Google + Custom Authentication

I have an express application where I'm using passportjs for managing authentication.
At the moment I only want to support sign in with google in my application. I have implemented this properly and is working fine. Now, I want to restrict access to to the application to only those users who are registered with the application.
Registration is done by admin so there can only be few users who are registered. At the moment, anyone with a google account is able to login to the application. Instead of this, I would like the authentication to happen with google using OAuth2.0 and I would like to check if the user exists in my database before letting the user login to the system.
Update
Following is my code as requested
var passport = require('passport');
var GoogleStrategy = require('passport-google-oauth').OAuth2Strategy;
var config = require('./config');
var directoryService = require('./services/directory');
/**
* Authentication configuration
*/
module.exports = function (app, router) {
passport.serializeUser(function (user, done) {
//I want to know if this is the correct process
directoryService.findResidentByEmailAddress(user.emails[0].value).then(function (data) {
if (data == null || data.length == 0) {
done({ 'status': 'Invalid Login' });
} else {
done(null, data);
}
});
});
passport.deserializeUser(function (obj, done) {
done(null, obj);
});
passport.use(new GoogleStrategy({
clientID: config.auth.clientID,
clientSecret: config.auth.clientSecret,
callbackURL: config.auth.callbackURL,
passReqToCallback: true
},
function (request, accessToken, refreshToken, profile, done) {
process.nextTick(function () {
return done(null, profile);
});
}
));
app.use(passport.initialize());
app.use(passport.session());
router.use(function (req, res, next) {
if (req.isAuthenticated() || req.url.startsWith('/auth/')) {
return next();
}
res.redirect('/auth/login.html');
});
router.get('/auth/google',
passport.authenticate('google', { scope: ['email'] }));
router.get('/auth/google/callback',
passport.authenticate('google', { failureRedirect: '/login' }),
function (req, res) {
res.redirect('/');
});
router.get('/logout', function (req, res) {
req.logout();
res.redirect('/auth/login.html');
});
}

404 from callbackURL with koa-passport using passport-oauth2 strategy

I am having trouble understanding why my koa v2 app is 404ing when it receives the callback from my oauth2 provider. I see in the network tab that it is receiving a GET to /oauth/callback with a code query parameter. My routes definitely exist because if I open the page in the browser myself it 500s with an error:
TokenError: The provided authorization grant is invalid, expired,
revoked, does not match the redirection URI used in the authorization
request, or was issued to another client.
Here is my app so far, following the koa-passport-example:
const Koa = require('koa')
const app = new Koa()
// trust proxy
app.proxy = true
// sessions
const convert = require('koa-convert')
const session = require('koa-generic-session')
app.keys = ['your-session-secret']
app.use(convert(session()))
// body parser
const bodyParser = require('koa-bodyparser')
app.use(bodyParser())
// authentication
require('./authn')
const passport = require('koa-passport')
app.use(passport.initialize())
app.use(passport.session())
// routes
const fs = require('fs')
const route = require('koa-route')
app.use(route.get('/logout', function(ctx) {
ctx.logout()
ctx.redirect('/login')
}))
app.use(route.get('/login',
passport.authenticate('oauth2')
))
app.use(route.get('/oauth/callback',
passport.authenticate('oauth2', {
failureRedirect: '/login',
successRedirect: '/'
})
))
// Require authentication for now
app.use(function(ctx, next) {
console.log('auth check', ctx.isAuthenticated())
if (ctx.isAuthenticated()) {
return next()
} else {
ctx.redirect('/login')
}
})
app.use(route.get('/', function(ctx) {
ctx.type = 'html'
ctx.body = fs.createReadStream('views/app.html')
const { token } = ctx.state
const authed = ctx.isAuthenticated()
if (authed) {
console.log('token', token)
}
}))
// start server
const port = process.env.PORT || 3000
app.listen(port, () => console.log('Server listening on', port))
And the authn.js file:
import passport from 'koa-passport'
const user = { id: 1, username: 'dmarr#foo.com' }
passport.serializeUser(function(user, done) {
done(null, user.id)
})
passport.deserializeUser(function(id, done) {
done(null, user)
})
var OAuth2Strategy = require('passport-oauth2').Strategy
passport.use(new OAuth2Strategy({
authorizationURL: 'redacted',
tokenURL: 'https://redacted/token',
clientID: 'redacted',
clientSecret: 'redacted',
callbackURL: "http://localhost:8080/oauth/callback"
},
function(accessToken, refreshToken, profile, done) {
console.log('authed with oauth')
console.log('token', accessToken)
console.log('refresh token', refreshToken)
done(null, user)
// User.findOrCreate({ exampleId: profile.id }, function (err, user) {
// return done(err, user);
// });
// console.log(accessToken)
}
));
Thank you for any help
Well this seems to be working after all. I did have a typo which appears to have been the issue. Keeping the above in case anyone else needs help with oauth2 and koa and passport.
Edit: It turns out I can't seem to access the modified user from the authenticate callback. For example:
function(accessToken, refreshToken, profile, done) {
user.accessToken = accessToken
done(null, user)
})
and in my route handler
const { passport } = ctx.session
const user = passport.user
// user.accessToken is undefined because session.passport.user is the serialized one

Linkedin Passport Oauth failureRedirect

Good afternoon,
I'm working in a node application. Concretely I'm working with "passport-linkedin-oauth2".
There is my code.
linkedin/index.js
'use strict';
var express = require('express');
var passport = require('passport');
var auth = require('../auth.service');
var router = express.Router();
router
.get('/', passport.authenticate('linkedin', {
state: 'comienzo'
}),
function(req, res){
// The request will be redirected to Linkedin for authentication, so this
// function will not be called.
})
.get('/callback', passport.authenticate('linkedin', {
failureFlash : true,
failureRedirect: '/login'
}), auth.setTokenCookie);
module.exports = router;
linkedin/passport.js
var passport = require('passport');
var LinkedInStrategy = require('passport-linkedin-oauth2').Strategy;
var models = require('../../api');
exports.setup = function (User, config) {
passport.use(new LinkedInStrategy({
clientID: config.linkedin.clientID,
clientSecret: config.linkedin.clientSecret,
callbackURL: config.linkedin.callbackURL,
scope: [ 'r_basicprofile', 'r_emailaddress'],
state: true
},
function(accessToken, refreshToken, profile, done) {
process.nextTick(function () {
// To keep the example simple, the user's LinkedIn profile is returned to
// represent the logged-in user. In a typical application, you would want
// to associate the LinkedIn account with a user record in your database,
// and return that user instead.
return done(null, profile);
});
models.User.findOrCreate({
where: {
linkedin: profile.id
},
defaults: {
name: profile.displayName,
linkedin: profile.id,
mail: profile.emails[0].value,
password: 'xxxxxxx',
role: 'admin', provider: 'linkedin',
activo: true
}
}).spread(function (user, created) {
console.log("x: " +user.values);
return done(null, user)
}).catch(function (err) {
console.log('Error occured', err);
return done(err);
});
}
));
};
The problem I'm facing is that I'm pretty sure that LinkedIn is logging properly.
In my app when i press login button it redirect me to LinkedIn webpage, I fill the information and then my server receives this answer
GET /auth/linkedin/callback?code=AQTfvipehBLAXsvmTIl1j3ISYCzF03F-EilhiLlfSJNqiwfQsyHeslLONOWY12Br-0dfV1pgkSSpCKlmtpiMVUCufJlatEBswWqfPe6iahoRF8IHIhw&state=comienzo 302 4ms - 68b
I think that this means that it is ok because I get the state that I have sent to LinkedIn API before and the code.
Anyway, every time I login always redirect me to Login page which is failureRedirect: '/login' ( I have tested that if I change this route, the app redirect me where this attribute point)
Also I have checked that it never executes the code that search in the db for the linkedin user.
Remove the state property on the handler or at the strategy instantiation, i'm not sure why but this solves the issue.
exports.setup = function (User, config) {
passport.use(new LinkedInStrategy({
clientID: config.linkedin.clientID,
clientSecret: config.linkedin.clientSecret,
callbackURL: config.linkedin.callbackURL,
scope: [ 'r_basicprofile', 'r_emailaddress'],
state: true // <-- Remove state from here
})
}
and this code
router
.get('/', passport.authenticate('linkedin', {
state: 'comienzo' // <-- Or Remove state from here
}),
You can just set it the state on one of this places but not both, so remove one of them

Saving multiple passportjs providers into same user document in mongodb

I'm having a problem I'm not able to resolve. I'm developing an app with nodejs, using mongodb, expressjs and passportjs as my authentication middleware.
I currently have 3 strategies: facebook, twitter and instagram. What I want to achieve is that when a user login for the first time, if the user is logged with one strategy and logs in with another one save the profiles into the same mongodb user document.
This is my auth/index.js:
require('./local/passport').setup(User, config);
require('./facebook/passport').setup(User, config);
require('./twitter/passport').setup(User, config);
require('./instagram/passport').setup(User, config);
var router = express.Router();
router.use('/local', require('./local'));
router.use('/facebook', require('./facebook'));
router.use('/twitter', require('./twitter'));
router.use('/instagram', require('./instagram'));
And this is, for example, my auth/twitter/index.js
var router = express.Router();
router
.get('/', passport.authenticate('twitter', {
failureRedirect: '/',
session: false
}))
.get('/callback', passport.authenticate('twitter', {
failureRedirect: '/',
session: false
}), auth.setTokenCookie);
module.exports = router;
But how could I pass for example a mongodb _id to this auth/twitter/passport.js in order to pass it to the mongoose query and update an user? Something like making a POST to auth/twitter and accessing to req.user._id ? I can't figure out how to do it.
exports.setup = function (User, config) {
var passport = require('passport');
var TwitterStrategy = require('passport-twitter').Strategy;
var TwitterApi = require('twitter');
passport.use(new TwitterStrategy({
consumerKey: process.env.TWITTER_CONSUMER_KEY,
consumerSecret: process.env.TWITTER_CONSUMER_SECRET,
callbackURL: config.twitter.callbackURL
},
function(token, tokenSecret, profile, done) {
User.findOne({
'twitter.id_str': profile.id
}, function(err, user) {
if (err) {
return done(err);
}
if (!user) {
user = new User({
role: 'user',
[...]
Thank you very much.
EDIT:
This is how I set my cookie:
function setTokenCookie(req, res) {
if (!req.user) return res.json(404, { message: 'Something went wrong, please try again.'});
var token = signToken(req.user._id, req.user.role);
res.cookie('token', JSON.stringify(token));
res.redirect('/');
}
and the signToken function:
function signToken(id) {
return jwt.sign({ _id: id }, config.secrets.session, { expiresInMinutes: 60*24*30 });
}
Why req.user and req.session are always empty in my Strategy?
EDIT2:
I think I could use the auth.isAuthenticated() function to attach user to the request before invoking the Strategy. What I have done is this:
router
.get('/', auth.isAuthenticated(), passport.authenticate('twitter', auth.isAuthenticated, {
failureRedirect: '/',
session: false
}))
.get('/callback', auth.isAuthenticated(), passport.authenticate('twitter', {
failureRedirect: '/',
session: false
}), auth.setTokenCookie);
But now I'm having this problem:
UnauthorizedError: No Authorization header was found
My request to auth/twitter comes from a $window.location. It seems that this does not attach the user object to the request, because when I make a GET or POST using isAuthenticated() the user object is passed correctly. This is my isAuthenticated() function:
function isAuthenticated() {
return compose()
// Validate jwt
.use(function(req, res, next) {
// allow access_token to be passed through query parameter as well
if(req.query && req.query.hasOwnProperty('access_token')) {
req.headers.authorization = 'Bearer ' + req.query.access_token;
}
validateJwt(req, res, next);
})
// Attach user to request
.use(function(req, res, next) {
User.findById(req.user._id, function (err, user) {
if (err) return next(err);
if (!user) return res.send(401);
req.user = user;
next();
});
});
}
FYI I just dealed with this decoding the JWT token in my Strategies. I don't know if this is a good practice but the problem was I was not having my user attached to the request if the request was made with a $window.location.href
So in my strategies I read the cookie and decode it on the fly for searching a user in database.
Thank you.
You can set passReqToCallback to true when you define your passport strategy. It will make the current request, thus the current logged in user available to your callback function.
exports.setup = function (User, config) {
var passport = require('passport');
var TwitterStrategy = require('passport-twitter').Strategy;
var TwitterApi = require('twitter');
passport.use(new TwitterStrategy({
consumerKey: process.env.TWITTER_CONSUMER_KEY,
consumerSecret: process.env.TWITTER_CONSUMER_SECRET,
callbackURL: config.twitter.callbackURL,
passReqToCallback: true
},
function(req, token, tokenSecret, profile, done) {
User.findOne({
'twitter.id_str': profile.id
}, function(err, user) {
if (err) return done(err);
if (!user) {
if (req.user) {
[...]

Resources