Saving multiple passportjs providers into same user document in mongodb - node.js

I'm having a problem I'm not able to resolve. I'm developing an app with nodejs, using mongodb, expressjs and passportjs as my authentication middleware.
I currently have 3 strategies: facebook, twitter and instagram. What I want to achieve is that when a user login for the first time, if the user is logged with one strategy and logs in with another one save the profiles into the same mongodb user document.
This is my auth/index.js:
require('./local/passport').setup(User, config);
require('./facebook/passport').setup(User, config);
require('./twitter/passport').setup(User, config);
require('./instagram/passport').setup(User, config);
var router = express.Router();
router.use('/local', require('./local'));
router.use('/facebook', require('./facebook'));
router.use('/twitter', require('./twitter'));
router.use('/instagram', require('./instagram'));
And this is, for example, my auth/twitter/index.js
var router = express.Router();
router
.get('/', passport.authenticate('twitter', {
failureRedirect: '/',
session: false
}))
.get('/callback', passport.authenticate('twitter', {
failureRedirect: '/',
session: false
}), auth.setTokenCookie);
module.exports = router;
But how could I pass for example a mongodb _id to this auth/twitter/passport.js in order to pass it to the mongoose query and update an user? Something like making a POST to auth/twitter and accessing to req.user._id ? I can't figure out how to do it.
exports.setup = function (User, config) {
var passport = require('passport');
var TwitterStrategy = require('passport-twitter').Strategy;
var TwitterApi = require('twitter');
passport.use(new TwitterStrategy({
consumerKey: process.env.TWITTER_CONSUMER_KEY,
consumerSecret: process.env.TWITTER_CONSUMER_SECRET,
callbackURL: config.twitter.callbackURL
},
function(token, tokenSecret, profile, done) {
User.findOne({
'twitter.id_str': profile.id
}, function(err, user) {
if (err) {
return done(err);
}
if (!user) {
user = new User({
role: 'user',
[...]
Thank you very much.
EDIT:
This is how I set my cookie:
function setTokenCookie(req, res) {
if (!req.user) return res.json(404, { message: 'Something went wrong, please try again.'});
var token = signToken(req.user._id, req.user.role);
res.cookie('token', JSON.stringify(token));
res.redirect('/');
}
and the signToken function:
function signToken(id) {
return jwt.sign({ _id: id }, config.secrets.session, { expiresInMinutes: 60*24*30 });
}
Why req.user and req.session are always empty in my Strategy?
EDIT2:
I think I could use the auth.isAuthenticated() function to attach user to the request before invoking the Strategy. What I have done is this:
router
.get('/', auth.isAuthenticated(), passport.authenticate('twitter', auth.isAuthenticated, {
failureRedirect: '/',
session: false
}))
.get('/callback', auth.isAuthenticated(), passport.authenticate('twitter', {
failureRedirect: '/',
session: false
}), auth.setTokenCookie);
But now I'm having this problem:
UnauthorizedError: No Authorization header was found
My request to auth/twitter comes from a $window.location. It seems that this does not attach the user object to the request, because when I make a GET or POST using isAuthenticated() the user object is passed correctly. This is my isAuthenticated() function:
function isAuthenticated() {
return compose()
// Validate jwt
.use(function(req, res, next) {
// allow access_token to be passed through query parameter as well
if(req.query && req.query.hasOwnProperty('access_token')) {
req.headers.authorization = 'Bearer ' + req.query.access_token;
}
validateJwt(req, res, next);
})
// Attach user to request
.use(function(req, res, next) {
User.findById(req.user._id, function (err, user) {
if (err) return next(err);
if (!user) return res.send(401);
req.user = user;
next();
});
});
}

FYI I just dealed with this decoding the JWT token in my Strategies. I don't know if this is a good practice but the problem was I was not having my user attached to the request if the request was made with a $window.location.href
So in my strategies I read the cookie and decode it on the fly for searching a user in database.
Thank you.

You can set passReqToCallback to true when you define your passport strategy. It will make the current request, thus the current logged in user available to your callback function.
exports.setup = function (User, config) {
var passport = require('passport');
var TwitterStrategy = require('passport-twitter').Strategy;
var TwitterApi = require('twitter');
passport.use(new TwitterStrategy({
consumerKey: process.env.TWITTER_CONSUMER_KEY,
consumerSecret: process.env.TWITTER_CONSUMER_SECRET,
callbackURL: config.twitter.callbackURL,
passReqToCallback: true
},
function(req, token, tokenSecret, profile, done) {
User.findOne({
'twitter.id_str': profile.id
}, function(err, user) {
if (err) return done(err);
if (!user) {
if (req.user) {
[...]

Related

How to integrate Passport Google OAuth 2.0 with Passport JWT?

I'm currently working on my first MERN project, with Passport Local, Google OAuth 2.0 and JWT. All my routes are protected with passport.authenticate("jwt", { session: false }), (req, res) => {}). I know Google Strategy relies on Express session and here's where my issue starts.
I don't know if this is the correct approach, but I want to generate a JWT token from Google OAuth login to handle the user session with it and keep all my routes requests working properly. From the past issues opened here I've found this one to be the most recent and practical solution, but it seemed to me that it would introduce a new problem - since the local login already generates the JWT token, wouldn't it conflict with the request on the step 4 from the linked solution? If I'm thinking right, the token would be generated two times when using the standard login - one right at the authentication and another when reaching the app's home page, not to mention that it looks like the request to /auth/login/success will be made every time the home page is reached, which doesn't seem right to me.
So, what would be the best and cleaner way to approach this? I'd also like to validate everything on the server side and avoid appending the token to the URL, if possible. Anyway, here is my code:
passport.js
const GoogleStrategy = require("passport-google-oauth20").Strategy;
const JwtStrategy = require("passport-jwt").Strategy;
const User = require("../models/user.model");
require("dotenv").config();
module.exports = function (passport) {
// CONFIGURE STRATEGIES
// Local
passport.use(User.createStrategy());
// Google
passport.use(
new GoogleStrategy(
{
clientID: process.env.GOOGLE_CLIENT_ID,
clientSecret: process.env.GOOGLE_CLIENT_SECRET,
callbackURL: "http://localhost:5000/auth/google/movie-log",
},
function (accessToken, refreshToken, profile, cb) {
User.findOrCreate(
{ googleId: profile.id },
{ first_name: profile.displayName, email: profile._json.email },
function (err, user) {
return cb(err, user);
}
);
}
)
);
// JWT
const cookieExtractor = (req) => {
let token = null;
if (req && req.cookies) {
token = req.cookies["access_token"];
}
return token;
};
passport.use(
new JwtStrategy(
{
jwtFromRequest: cookieExtractor,
secretOrKey: process.env.SECRET,
},
(payload, done) => {
User.findById(payload.sub, (err, user) => {
if (err) {
return done(err, false);
}
if (user) {
return done(null, user);
} else {
return done(null, false);
}
});
}
)
);
// CONFIGURE AUTHENTICATED SESSION PERSISTENCE
passport.serializeUser(function (user, done) {
done(null, user.id);
});
passport.deserializeUser(function (id, done) {
User.findById(id, function (err, user) {
done(err, user);
});
});
};
auth.js (for Google authentication)
const express = require("express");
const passport = require("passport");
const router = express.Router();
const login = "http://localhost:3000/login";
const diary = "http://localhost:3000/diary";
router.get(
"/google",
passport.authenticate("google", {
scope: ["email", "profile"],
})
);
router.get(
"/google/movie-log",
passport.authenticate("google", {
successRedirect: diary,
failureRedirect: login,
})
);
module.exports = router;
login.js (for local authentication)
const express = require("express");
const passport = require("passport");
const JWT = require("jsonwebtoken");
const router = express.Router();
const signToken = (userID) => {
return JWT.sign(
{
iss: "Movie.log",
sub: userID,
},
process.env.SECRET,
{ expiresIn: "1h" }
);
};
router
.route("/")
.post(passport.authenticate("local", { session: false }), (req, res) => {
if (req.isAuthenticated()) {
const { _id, first_name } = req.user;
const token = signToken(_id);
res.cookie("access_token", token, { httpOnly: true, sameSite: true });
res.status(200).json({
isAuthenticated: true,
user: first_name
});
}
});
module.exports = router;

Express Passportjs Google + Custom Authentication

I have an express application where I'm using passportjs for managing authentication.
At the moment I only want to support sign in with google in my application. I have implemented this properly and is working fine. Now, I want to restrict access to to the application to only those users who are registered with the application.
Registration is done by admin so there can only be few users who are registered. At the moment, anyone with a google account is able to login to the application. Instead of this, I would like the authentication to happen with google using OAuth2.0 and I would like to check if the user exists in my database before letting the user login to the system.
Update
Following is my code as requested
var passport = require('passport');
var GoogleStrategy = require('passport-google-oauth').OAuth2Strategy;
var config = require('./config');
var directoryService = require('./services/directory');
/**
* Authentication configuration
*/
module.exports = function (app, router) {
passport.serializeUser(function (user, done) {
//I want to know if this is the correct process
directoryService.findResidentByEmailAddress(user.emails[0].value).then(function (data) {
if (data == null || data.length == 0) {
done({ 'status': 'Invalid Login' });
} else {
done(null, data);
}
});
});
passport.deserializeUser(function (obj, done) {
done(null, obj);
});
passport.use(new GoogleStrategy({
clientID: config.auth.clientID,
clientSecret: config.auth.clientSecret,
callbackURL: config.auth.callbackURL,
passReqToCallback: true
},
function (request, accessToken, refreshToken, profile, done) {
process.nextTick(function () {
return done(null, profile);
});
}
));
app.use(passport.initialize());
app.use(passport.session());
router.use(function (req, res, next) {
if (req.isAuthenticated() || req.url.startsWith('/auth/')) {
return next();
}
res.redirect('/auth/login.html');
});
router.get('/auth/google',
passport.authenticate('google', { scope: ['email'] }));
router.get('/auth/google/callback',
passport.authenticate('google', { failureRedirect: '/login' }),
function (req, res) {
res.redirect('/');
});
router.get('/logout', function (req, res) {
req.logout();
res.redirect('/auth/login.html');
});
}

Linkedin Passport Oauth failureRedirect

Good afternoon,
I'm working in a node application. Concretely I'm working with "passport-linkedin-oauth2".
There is my code.
linkedin/index.js
'use strict';
var express = require('express');
var passport = require('passport');
var auth = require('../auth.service');
var router = express.Router();
router
.get('/', passport.authenticate('linkedin', {
state: 'comienzo'
}),
function(req, res){
// The request will be redirected to Linkedin for authentication, so this
// function will not be called.
})
.get('/callback', passport.authenticate('linkedin', {
failureFlash : true,
failureRedirect: '/login'
}), auth.setTokenCookie);
module.exports = router;
linkedin/passport.js
var passport = require('passport');
var LinkedInStrategy = require('passport-linkedin-oauth2').Strategy;
var models = require('../../api');
exports.setup = function (User, config) {
passport.use(new LinkedInStrategy({
clientID: config.linkedin.clientID,
clientSecret: config.linkedin.clientSecret,
callbackURL: config.linkedin.callbackURL,
scope: [ 'r_basicprofile', 'r_emailaddress'],
state: true
},
function(accessToken, refreshToken, profile, done) {
process.nextTick(function () {
// To keep the example simple, the user's LinkedIn profile is returned to
// represent the logged-in user. In a typical application, you would want
// to associate the LinkedIn account with a user record in your database,
// and return that user instead.
return done(null, profile);
});
models.User.findOrCreate({
where: {
linkedin: profile.id
},
defaults: {
name: profile.displayName,
linkedin: profile.id,
mail: profile.emails[0].value,
password: 'xxxxxxx',
role: 'admin', provider: 'linkedin',
activo: true
}
}).spread(function (user, created) {
console.log("x: " +user.values);
return done(null, user)
}).catch(function (err) {
console.log('Error occured', err);
return done(err);
});
}
));
};
The problem I'm facing is that I'm pretty sure that LinkedIn is logging properly.
In my app when i press login button it redirect me to LinkedIn webpage, I fill the information and then my server receives this answer
GET /auth/linkedin/callback?code=AQTfvipehBLAXsvmTIl1j3ISYCzF03F-EilhiLlfSJNqiwfQsyHeslLONOWY12Br-0dfV1pgkSSpCKlmtpiMVUCufJlatEBswWqfPe6iahoRF8IHIhw&state=comienzo 302 4ms - 68b
I think that this means that it is ok because I get the state that I have sent to LinkedIn API before and the code.
Anyway, every time I login always redirect me to Login page which is failureRedirect: '/login' ( I have tested that if I change this route, the app redirect me where this attribute point)
Also I have checked that it never executes the code that search in the db for the linkedin user.
Remove the state property on the handler or at the strategy instantiation, i'm not sure why but this solves the issue.
exports.setup = function (User, config) {
passport.use(new LinkedInStrategy({
clientID: config.linkedin.clientID,
clientSecret: config.linkedin.clientSecret,
callbackURL: config.linkedin.callbackURL,
scope: [ 'r_basicprofile', 'r_emailaddress'],
state: true // <-- Remove state from here
})
}
and this code
router
.get('/', passport.authenticate('linkedin', {
state: 'comienzo' // <-- Or Remove state from here
}),
You can just set it the state on one of this places but not both, so remove one of them

Pass user info in routes from Passport strategies

I am trying to authenticate user using passportjs using express.
Passport.js looks like this.
var USER_INFO = {};
var FB_CALLBACK = 'http://localhost:3000/auth/facebook/callback';
module.exports = function(passport) {
passport.use(new FacebookStrategy({
clientID: FB_CLIENT_ID,
clientSecret: FB_CLIENT_SECRET,
callbackURL: FB_CALLBACK
},
function(accessToken, refreshToken, profile, done) {
process.nextTick(function() {
USER_INFO.id = profile.id;
});
}));
}
var express = require('express'); // call express
var app = express(); // define our app using express
var router = express.Router(); // get an instance of the express Route
var passport = require('passport');
USER_INFO = {};
require('./config/passport')(passport);
app.get('/auth/facebook', passport.authenticate('facebook'));
app.get('/auth/facebook/callback', passport.authenticate('facebook', {
successRedirect : '/fb',
failureRedirect : '/error'
}));
app.get('/fb', function (req, res) {
res.json(USER_INFO);
});
I want all the information extracted in res.json(user_info). But it is coming as empty. What I am missing here. What is the best method to save user basic info of user to keep him logged in.
Firstly, you should not store USER_INFO = {} outside the scope of your current request. If two separate users make a request then they'll get the same object.
You should at least store them in a way you can retrieve them separately
var USERS = {};
...
module.exports...
passport.use...
...
function(accessToken, refreshToken, profile, done) {
USERS[profile.id] = profile;
done(null, profile);
}));
Now if two separate users make a request they'll have their info separately stored within USERS
{
1234: {id: 1234, name: FOO},
6789: {id: 6789, name: BAR},
}
And done(null, profile) would serialize that user. If you haven't defined your serialize/deserialize functions you should do so like this:
passport.serializeUser(function (user, done) {
done(null, user.id);
});
passport.deserializeUser(function (id, done) {
var user = USERS[id];
done(null, user);
});
Now your users will be available within their respective request contexts as req.user
So you just need to do:
app.get('/fb', function (req, res) {
res.json(req.user);
});
You forgot call done() in process.nextTick().
var FB_CALLBACK = 'http://localhost:3000/auth/facebook/callback';
module.exports = function(passport) {
passport.use(new FacebookStrategy({
clientID: FB_CLIENT_ID,
clientSecret: FB_CLIENT_SECRET,
callbackURL: FB_CALLBACK
},
function(accessToken, refreshToken, profile, done) {
process.nextTick(function() {
var USER_INFO = {};
USER_INFO.id = profile.id;
done(USER_INFO)
});
}));
}
You can pass any object to done(), it will become req.user later in your route. In your case, the USER_INFO which you want to response is req.user
app.get('/fb', function (req, res) {
res.json(req.user);
});

Can the callback for facebook-pasport be dynamically constructed?

When using facebook-passport the usual thing to do is to specify the redirect_uri in the constructor of the FacebookStrategy thst you use, something like this:
passport.use("facebook", new FacebookStrategy({
//TODO: Correctly configure me
clientID: "XXXXXXX"
, clientSecret: "XXXXXXXXX"
, callbackURL: "http://localhost:3007/auth/facebook/callback"
},
function(accessToken,refreshToken,profile,done) {
User.findByFacebookId(profile.id, function(err,user) {
if(err){ return done(err);}
if(!user){ return done(null,false)}
return done(null, user);
});
})
);
Then you would set up routes like this:
app.get('/auth/facebook/login', passport.authenticate('facebook') );
app.get('/auth/facebook/login_callback', passport.authenticate('facebook', {
successRedirect:"/login_ok.html"
, failureRedirect:"/login_failed.html"
}
))
Is it possible to change the callback url so that it contains information from parameters passed to the initial login call?
NOTE: This question is more for preserving info that took me a while to work out, to avoid others going down the same paths.
I found the answer using some info found here https://github.com/jaredhanson/passport-facebook/issues/2 and through digging through the way the passport oauth2 component determines callback uris, and information about passport custom callbacks at the bottom of this page http://passportjs.org/guide/authenticate/.
Here's an example that maps calls to /auth/facebook/login/1234 to use the callback /auth/facebook/login_callback/1234
app.get('/auth/facebook/login/:id', function(req,res,next) {
passport.authenticate(
'facebook',
{callbackURL: '/auth/facebook/login_callback/'+req.params.id }
)(req,res,next);
});
app.get('/auth/facebook/login_callback/:id', function(req,res,next) {
passport.authenticate(
'facebook',
{
callbackURL:"/auth/facebook/login_callback/"+req.params.id
, successRedirect:"/login_ok.html"
, failureRedirect:"/login_failed.html"
}
) (req,res,next);
});
#OMGPOP, here you can pass in query params into your callbackUrl.
var Passport = require('passport');
var FacebookStrategy = require('passport-facebook').Strategy;
const Router = require("express").Router();
var fbConfig = {
display: "popup",
clientID: "YourFbClientId",
clientSecret: "YourFbClientSecret",
callbackURL: "http://localhost:8686/auth/facebook/callback",
profileFields: ['id', 'name', 'gender', 'displayName', 'photos', 'profileUrl', 'email']
}
Passport.use(new FacebookStrategy(fbConfig,
function(accessToken, refreshToken, profile, callback) {
return callback(null, accessToken);
}
));
Router.get("/auth/facebook", function(req, res, next) {
var callbackURL = fbConfig.callbackURL + "?queryParams=" + req.query.queryParams;
Passport.authenticate("facebook", { scope : ["email"], callbackURL: callbackURL })(req, res, next);
});
Router.get("/auth/facebook/callback", function(req, res, next) {
Passport.authenticate("facebook", {
callbackURL: fbConfig.callbackURL + "?queryParams=" + req.query.queryParams,
failureRedirect: "/login",
session: false
})(req, res, next) },
function(req, res) {
console.log(req.query.queryParams);
//do whatever you want
});
Check out my blog for more information: http://blog.pingzhang.io/javascript/2016/09/22/passport-facebook/
I was struggling to do this specifically with Angularjs, and wanted to redirect back to the same url that the login was initiated from.
My solution was to create a route in Angularjs that just implements a location back. I know this does not specifically answer the question, but I thought it would be helpful for anyone looking to do the same.
On the server:
app.get('/auth/facebook/', passport.authenticate ('facebook'));
app.get('/auth/facebook/callback', function (req, res, next) {
var authenticator = passport.authenticate ('facebook', {
successRedirect: '/fbcallback',
failureRedirect: '/'
});
delete req.session.returnTo;
authenticator (req, res, next);
})
Angular router:
when('/fbcallback', {
template: "",
controller: 'fbCtrl'
}).
Angular controller:
app.controller("fbCtrl", function () {
window.history.back();
});
You could probably do some other client side routing in the controller as well.

Resources