I am trying to rebuild a website from php/mysql to express, I am using passport for authentication. My question is, how would you go for getting additional data from the user apart username and password, after the signup with passport-local strategy?
I mean, if I add the data in the registration process then, as far as I can understand, I won't be able to use fb / twitter / google signup and get the same data. So I thought I should let the user register with username and password or similar and then prompt him a request to fill in more data.
I have a general idea of how this should be done but since I am new to all this I'd like to get some feedback here.
Related
I'm just trying to make a small ecommerce web application by using Django, Django Rest Framework, I completed registration and login views(not used Django inbuilt authentication) just saving the users information in database and validating those details when the user login, now I'm confused that how actually login works, how the user stay connected till he log out, how the server knows that the user is still logged in, how each request knows that the user is already logged in, Once I tried login by using Django OAuth token, also simple JWT tokens, but when I used to login along with the username and password I also send the token from the postman, but users doesn't login through postman in real world, then how the tokens are handled, who passes the tokens along with the parameters while login, how tokens are passed along with the credentials in real projects, how all these handled in real projects, also what happens when user clicks on logout, what will happen in the backend when user clicks on logout, can anyone please clear this question Thanks.
Please help me understanding of this concept
Im trying to use passport to use OAuth2 to login but I'm not fully understanding the documentation.
My end goal is to have the front page of my website to have multiple login options via twitch/google/facebook that all lead you to the same account if you email happens to match. (example service that does this: streamlabs login) I want to do this without using a username and password so each of my DB docs only have a unique ID to identify each account and subsequent objects keys as twitch/google/facebook containing API tokens and emails.
The part I dont understand is how to tell passport to identify the same DB doc when the user is logged in, from what I think it could be is the callback for the passport strategy registration where you use done(null, profile) to tell passport they have been successfully authed.
Would I have to change profile to the unique DB doc ID to make it universal accross all auth methods?
Turns out I was right, was hoping for an answer earlier before I had to change a bunch of my code
A user can create an account in my App only with his work email.
Example: john#xyzcompany.com
After he creates an account, he can link multiple social media accounts to his profile.
Example: john#gmail.com, john2#gmail.com
I'm using MEAN stack to develop the App.
When a user logs in to my app, I'm creating a JWT token to authorize all his future requests to the server.
When it comes to Social Media accounts Integrations, After successful authentication I'm able to receive the accessTokens from these Social Media to the backend callback URL. I need to link the tokens to the right user. Is there anyway I can pass my JWT token along with the callback URL to identify which user has made the request, because I cannot identify the user based on the email in his Social Media Account?
I was able to solve this using socket.io. But I feel it is unnecessary to use sockets for simple authentication.
Is there any other approach to solve it? I have researched online, few of them suggested using passport. I don't fully understand how passport works, I just feel it is just a middleware to authenticate API requests from users, which I'm doing anyway using a custom function.
Could someone explain whether it is possible to pass JWT in callback URLs using passport strategies?
What is the right approach to handle such authentications in a MEAN stack app? I'm stuck with this issue since the past week, really looking forward for a good solution.
I have encountered this type of situation in one of the large scale applications I have been working for and the approach we used to handle it was to store the jwtToken in redis and then retrieve it back with the help of user cookies. Let me explain it in more detail -
Send a new Cookie for the user when the user opens the login page. The cookie should contain some unique id or code against which we will save the JWT token,. Eg: res.cookie('jwtIdentifier', newid())
Now, when the user logs in, generate the JWT token and save it to your redis against the cookie jwtIdentifier's value. Eg: redisHelper.set(req.cookies.jwtIdentifier, JWTTOKEN)
At last, when the login is successful and the user is redirected back to your app, you can retrieve your JWT token again for the corresponding user using the cookie. Eg: redisHelper.get(req.cookies.jwtIdentifier) This will give you back the JWT token that you can then use across your application for that specific user.
Hope it's clear, let me know if you have any questions with this implementation ;)
You might try using client side facebook authentication as described here
https://theinfogrid.com/tech/developers/angular/facebook-login-angular-rest-api/
in this case in angular app you have facebook token alongside your app token and you can send them to your backend to identify the current user.
on backend part you eill call facebook to get profile data from accessToken and then store user profile id and depending on your business you might need also to store the access token
There doesn't appear to be a really clear explanation of what an authentication strategy is and what role it plays.
This is what I think it might be so far(please correct me if I'm wrong):
It appears that for each login type there is a strategy(google, facebook, local etc).
The strategy gets created then added to a passport object and the passport object is then used to sign a token which is used for a (un)specified time. However the username and password are not verified through jwt or passport initially.
An authentication strategy in passportjs isn't really that complicated -- it basically handles the 'authentication' of the user.
So, for instance, with the Passport LocalStrategy, it will take in a username/password, then check the database to see if those credentials are valid or not.
With stuff like the Google Login / Facebook Login Strategies, they'll simply use the Google Login API / Facebook Login API to redirect a user to Google / Facebook, have them accept the desired app permissions, then retrieve the resulting access token from the provider.
Strategies exist so that you can easily make passport authenticate a user in a number of different ways.
There are quite a few examples and tutorials on authentication and node out there, as well as several questions on stackoverflow. I'm still struggeling with this subject however when trying to implement authentication for an API which communicates with a SPA. I tried using mean.js as an example as well as to use JWT and passport.js. But even after some days of research and trial and error it is still unclear to me how to achieve the following scenario:
A user registers himself with a username (or email) and a password (and gets an email to verify his account)
The user logs himself in with the password and username.
The user recieves a token as a response
The token is used in all following requests which require authentication (and is invalidated after a given amount of time).
If the user logs out, the token is invalidated and he gets a new one the next time he logs in.
At a later point of time I also would like to implement Facebook and Google Login (that's why I would like to use passport.js).
I'm glad for any help and also open to suggestions for a better authentication flow.
Looking into Firebase (https://www.firebase.com/). It simplifies the process of handling Auth and all the perils of trying to handle Auth yourself.
Firebase also supports all of the major Auth providers out of the box (Facebook, Google, Twitter, etc).
I ended up using the node-example of satellizer:
https://github.com/sahat/satellizer/blob/master/examples/server/node/server.js#L36
You store password and username to the database on signup.
For logging in one can you simply compare the (hashed) password with the proved one and send back a token you create via jwt.encode (jsonwebtoken).
After that you append the token to your requests (in the header is probably the best way) and check its validity via jwt.decode(token, TOKEN_SECRET)