Node.js / express - using passport with redis, getting session unauthorized - node.js

I'm trying to use redis with express to create a user login and session. I test the route using this curl script:
curl -d 'email=testEmail&password=testPass' http://localhost:3000/users/session
When I do this, passport works fine through serialization, and then it returns http 302. I haven't figured out what it does after serialization, but when I try it in the browser with my login html form instead of curl, It shows me "Unauthorized" 401, and I don't see any of my console logs. Here's my app.js:
var express = require('express')
, fs = require('fs')
, cons = require('consolidate')
, http = require('http')
, flash = require('connect-flash')
, passport = require('passport')
, RedisStore = require( "connect-redis" )(express) //for sessions (instead of MemoryStore)
, redis = require('redis')
, env = process.env.NODE_ENV || 'development'
, config = require('./config/config')[env]
, db = redis.createClient(config.db.port, config.db.host);
db.select(config.db.users)
db.auth(config.db.auth);
var app = express();
//require passport strategies (see code block below)
require('./config/passport')(passport, config, app)
app.use('/assets', express.static(__dirname + '/public'));
app.use('/', express.static(__dirname + '/'));
app.set('views', __dirname + '/views');
app.set('view engine', 'html');
app.configure(function(){
app.set('config', config);
app.set('db', db);
app.set('port', process.env.PORT || 3000);
app.engine('.html', cons.swig);
app.use(express.logger('dev'))
app.use(express.favicon(__dirname + '/public/img/favicon.ico'));
app.use(express.cookieParser())
app.use(express.bodyParser()) //enables req.body
app.use(express.methodOverride()) //enables app.put and app.delete (can also just use app.post)
app.use(express.session({
secret: 'topsecret',
cookie: {secure: true, maxAge:86400000},
store: new RedisStore({
client:db,
secret:config.db.auth
})
}));
app.use(flash())
app.use(passport.initialize())
app.use(passport.session())
app.use(app.router)
});
// Bootstrap routes
require('./config/routes')(app, passport);
http.createServer(app).listen(app.get('port'), function(){
console.log("Express server listening on port " + app.get('port')+', mode='+env);
});
And the session POST route:
app.post('/users/session', passport.authenticate('local', {successRedirect: '/', failureFlash: 'Invalid email or password.', successFlash: 'Welcome!'}), users.session);
I could only really find examples of passport with mongodb, so I'm not sure about the following. I attempt to find a user, but I'm not sure about the callbacks or what passport is doing with the user info when I return done:
passport.use(new LocalStrategy({ usernameField: 'email', passwordField: 'password' },
function(email, password, done) {
var db = app.get('db')
var multi = db.multi();
db.get('email:'+email, function(err, uid){
if (err) { console.log(err); return err }
if (!uid) { console.log('no uid found'); return null }
console.log('found '+uid)
db.hgetall('uid:'+uid, function(err, user){
if (err) { console.log(err); return err }
if (!user) {
console.log('unkwn usr')
return done(null, false, { message: 'Unknown user' })
}
if (password != user.password) {
console.log('invalid pwd')
return done(null, false, { message: 'Invalid password' })
}
console.log('found user '+user) //I see this fine with curl, but no logs with browser
return done(null, user)
});
});
}
))
Passport serialization:
passport.serializeUser(function(user, done) {
console.log('passport serializing...'+user.name)
done(null, user.name) //no idea what happens to it after this. returns a 302 with curl, and 401 with browser
})
Why does this act differently with a browser than with curl? Any help or comments much appreciated!

Figured it out! To use passport with any database (not just mongo), I would recommend trying it with a dummy user first. Here's what I did.
Login Form (login.html):
<form method="post" action="http://localhost:3000/users/session" name="loginform">
<input id="login_input_username" type="text" name="email" />
<input id="login_input_password" type="password" name="password" autocomplete="off" />
<input type="submit" name="login" value="Submit" />
</form>
Routing (route.js):
app.post('/users/session', passport.authenticate('local'),
function(req, res){
res.end('success!');
});
Passport Local Strategy setup (passport.js):
passport.use(new LocalStrategy({ usernameField: 'email', passwordField: 'password' },
function(email, password, done) {
//find user in database here
var user = {id: 1, email:'test', password:'pass'};
return done(null, user);
}
));
passport.serializeUser(function(user, done) {
//serialize by user id
done(null, user.id)
});
passport.deserializeUser(function(id, done) {
//find user in database again
var user = {id: 1, email:'test', password:'pass'};
done(null, user);
})
Although I'm wondering if it's necessary to find user in my database twice, or if I'm using deserialize incorrectly.

Related

Authentication failure with passport middleware never gets invoked

The following program uses passportjs for username/password authentication. I do not what mistake am I making, but I am always redirected to the failure page, i.e back again to the login page.
var passport = require('passport')
, LocalStrategy = require('passport-local').Strategy
, express = require('express');
var app = express();
app.listen(3000);
app.use(express.static(__dirname+'/public'));
app.use(passport.initialize());
app.use(passport.session());
passport.use(new LocalStrategy(
function(username, password, done) {
console.log(username + ':username');
console.log(password + ':password');
return done(null, [{username:'foo'}]);
}
));
app.get('/login',(req,resp) => {
var options = {
root: __dirname + '/public/'
};
resp.sendFile('login.html',options);
});
app.post('/login',
passport.authenticate('local', { successRedirect: '/',failureRedirect: '/login'})
);
I am trying to understand the working of passportjs and I see that the middleware passport.use(new LocalStrategy( never gets invoked. I do not know the reason but may be it could be the root cause of failure.
So I was missing body parser module required by passportjs to parse the post request. Here is the complete code:
var passport = require('passport')
, LocalStrategy = require('passport-local').Strategy
, express = require('express')
, bodyParser = require('body-parser');
var app = express();
app.listen(3000);
app.use(express.static(__dirname+'/public'));
app.use(bodyParser.urlencoded({ extended: false }));// parse application/x-www-form-urlencoded
app.use(bodyParser.json()); // parse application/json
app.use(passport.initialize());
app.use(passport.session());
passport.use('local',new LocalStrategy(
function(username, password, done) {
console.log(username + ':username');
console.log(password + ':password');
return done(null, {username:username});
}
));
passport.serializeUser(function(user, done) {
done(null, user.username);
});
passport.deserializeUser(function(id, done) {
done(null, user);
});
app.get('/login',(req,resp) => {
var options = {
root: __dirname + '/public/'
};
resp.sendFile('login.html',options);
});
app.post('/login',
passport.authenticate('local', { successRedirect: '/',failureRedirect: '/login'})
);
Maybe passport need session try add app.use(express.session({ secret: 'keyboard cat' })); before passport config.
You must name your strategy and serialize user
passport.serializeUser(function(user, done) {
done(null, user);
});
passport.use('local', new LocalStrategy(
function(username, password, done) {
console.log(username + ':username');
console.log(password + ':password');
return done(null, [{username:'foo'}]);
}
));
You call this strategy by name in this eg local
app.post('/login',
passport.authenticate('local', { successRedirect: '/',failureRedirect: '/login'})
);

Node.js app.post for passport-local signup form not working

I'm trying to setup passport local sign-in but the form doesn't do anything when submitted.
My app.js code:
var express = require('express');
var app = express();
app.use(express.static(__dirname + '/public'));
var credentials = require('./credentials.js');
app.use(require('cookie-parser')(credentials.cookieSecret));
app.use(require('body-parser').urlencoded({extended: false}));
var session = require('express-session');
app.use(session({
resave: false,
saveUninitialized: true,
secret: 'keyboard cat'
}));
var passport = require('passport');
app.use(passport.initialize());
app.use(passport.session());
app.disable('x-powered-by');
var handlebars = require('express-handlebars').create({defaultLayout:'main'});
app.engine('handlebars', handlebars.engine);
app.set('view engine', 'handlebars');
app.set('port', process.env.PORT || 3000);
app.post('/login', function(req, res){console.log("body parsing", req.body)});
app.get('/login', function(req, res) {
res.render('login');
});
The form html at /login for sign-ins:
<form action="/login" method="post">
<div>
<label>Username:</label>
<input type="text" name="username"/>
</div>
<div>
<label>Password:</label>
<input type="password" name="password"/>
</div>
<div>
<button type="submit">Submit</button>
</div>
</form>
When I fill in username and password nothing prints out into the console from the post request. What do I have wrong?
You have to serialize and deserialize the user details to make the user authenticated.
Here's and example.
services.js
const passport = require('passport');
const LocalStrategy = require('passport-local').Strategy;
const User = require('../models/user');
//serialize and deserialize
passport.serializeUser(function(user, done) {
done(null, user._id);
});
passport.deserializeUser(function(id, done) {
User.findById(id, function(err, user) {
done(err, user);
});
});
//middleware
passport.use('local-login', new LocalStrategy({
usernameField: 'email',
password: 'password',
passReqToCallback: true
}, (req, email, password, done) => {
User.findOne({ email: email.toLowerCase() }, function(err, user) {
if (err) return done(err);
if (!user) {
return done(null, false, req.flash('loginMessage', 'No user has been found'));
}
if (!user.comparePassword(password)) {
return done(null, false, req.flash('loginMessage', 'Oops! Wrong Password.'));
}
return done(null, user);
});
}));
//custom function to validate
exports.isAuthenticated = function(req, res, next) {
if (req.isAuthenticated()) {
return next();
}
res.redirect('/login');
}
and once you do the serializing, you have to actually apply the process to the router. i.e, make the user details enter passport.
In your router file:
const passportConfig = require('services.js');
Then you can simply access the data via req.user
I found that removing this AMP js script solves the issue. For some reason it breaks the post requests.
<script async src="https://cdn.ampproject.org/v0.js"></script>

Need to retrieve form data

I have some login page, as soon as the authenticated get success, in the next page, I should display Login Details.. ( ie., username and password )
I'm using Express NodeJs, Passport, connect-flash, mongoose
My prob is: I'm unable to understand how to retrieve username, password in the next rendered page..
Please someone suggest me how to achieve it. I'm not asking you code, BUT show me a way to get my output.
EDIT:
app.js
var http = require('http');
var express = require('express'),
passport = require('passport')
, LocalStrategy = require('passport-local').Strategy,
flash = require('connect-flash'),
User = require('./routes/userdao.js');
passport.use(new LocalStrategy(
function(username, password, done) {
User.findOne({ uname: username ,pwd:password}, function(err, user) {
if (err) { return done(err); }
if (!user) {
return done(null, false, { message: 'Incorrect username.' });
}
return done(null, user);
});
}
));
passport.serializeUser(function(user, done) {
done(null, user._id);
});
passport.deserializeUser(function(id, done) {
User.findById(id, function(err, user) {
done(err, user);
});
});
var app = express();
app.configure(function(){
app.use(express.logger('dev')); /* 'default', 'short', 'tiny', 'dev' */
app.use(express.cookieParser());
app.use(express.bodyParser());
app.use(express.session({ secret: 'mysecret' }));
app.use(flash());
app.use(passport.initialize());
app.use(passport.session());
app.engine('.html', require('ejs').__express);
app.set('view engine', 'html');
app.set('views', __dirname + '/views');
app.use(app.router);
// app.use(express.errorHandler());
}).listen(3000);
console.log('Listening on port 3000...');
app.get('/',function(req,res){
/* req.flash('info', 'Flash is back!')
res.redirect('/success');*/
res.render('home.ejs');
});
app.get('/login',function(req,res){
res.render('login.ejs');
});
app.get('/success',function(req,res){
res.render('success.ejs',{ uname : req.user.username });
});
app.post('/login',
passport.authenticate('local', { successRedirect: '/success', failureRedirect: '/login',
failureFlash: true }));
success.ejs
<%= uname %>
I'm trying to display username which I entered in the login page.. I'm getting output: undefined
please tell me what went wrong and what I need to correct?
In the most general sense, if authentication succeeds the user object you return from authenticate ends up at req.user in your downstream functions.
http://passportjs.org/guide/authenticate/
And then, assuming you are using sessions, any subsequent requests will also expose req.user based on your serializeUser/deserializeUser functions.

Passport.js twitter authentication causing 500 error, req.session is undefined

I'm trying to set up sessions in a Node app using passport-twitter so I can persist user data, but from what I can tell, I cannot turn on the session support. Also, I made sure the callback function matches the application entry on Twitter Developers. The 500 error the program throws is:
500 Error: OAuthStrategy requires session support. Did you forget app.use(express.session(...))?**
at Strategy.OAuthStrategy.authenticate (/Users/xxxxxxxx/web/Node/on/node_modules/passport-twitter/node_modules/passport-oauth1/lib/strategy.js:120:41)
at Strategy.authenticate (/Users/xxxxxxxx/web/Node/on/node_modules/passport-twitter/lib/strategy.js:85:40)
....
When I check strategy.js at line 120, it says:
if (!req.session) { return this.error(new Error('OAuthStrategy requires session support. Did you forget app.use(express.session(...))?')); }
So, clearly req.session is undefined. However, I think I've done everything I need to to get the session support working. Here is most of my main server js file:
var express = require('express'),
app = express();
var http = require('http'),
https = require('https');
var mongodb = require('mongodb'),
mongoose = require('mongoose');
var passport = require('passport'),
TwitterStrategy = require('passport-twitter').Strategy,
imon = require('./imon'),
routes = require('./routes')(app),
user = require('./models/user'),
group = require('./models/group'),
song = require('./models/song'),
album = require('./models/album'),
activity_item = require('./models/activity_item');
app.set('env', 'development');
console.log("app.get('env') =", app.get('env'));
console.log(app.get('env') === 'development');
// development only
if (app.get('env') === 'development') {
app.set('views', __dirname + '/views');
app.use(express.logger('dev'));
app.use(express.bodyParser());
app.use(express.methodOverride());
app.use(express.cookieParser('secret'));
app.use(express.cookieSession());
app.use(passport.initialize());
app.use(passport.session());
app.use(app.router);
app.use(express.errorHandler());
}
// production only
if (app.get('env') === 'production') {
// TODO
}
// all environments
mongoose.connect('mongodb://localhost/test');
var db = mongoose.connection;
db.on('error', console.error.bind(console, 'connection error:'));
db.once('open', function callback () {
console.log('Connected to DB');
});
passport.use(new TwitterStrategy({
consumerKey: "0GOReNaXWXCTpf7OQgrg",
consumerSecret: "0wA8yUBrXz3ivpTHcuBbKp3vGN2ODnOF7iFM9DB48Y",
callbackURL: "http://127.0.0.1:8888/auth/twitter/callback"
},
function(token, tokenSecret, profile, done) {
console.log("THis gets called?");
function sanitizeImgURL(string){
return string.replace("_normal", "");
}
console.log("profile: ", profile);
process.nextTick(function(){
User.find({account: {id: profile.id}}, function(err, user) {
if(err){
return done(err);
}
if(!user){
return done(null, false, { message: 'Incorrect password.' });
}
else if(user){
done(null, user);
}
var newUser = new User(
{account:
{provider: profile.provider,
id: profile.id},
username: profile.username,
displayName: profile.displayName,
email: profile.email,
image: sanitizeImgURL(profile._json.profile_image_url)
});
return done(null, newUser);
});
});
}
));
passport.serializeUser(function(user, done) {
console.log("SERIALIZE: ", user);
done(null, user);
});
passport.deserializeUser(function(obj, done) {
console.log("DESERIALIZE: ", obj);
done(null, obj);
});
/**
* Routes
*/
// Redirect the user to Twitter for authentication. When complete, Twitter
// will redirect the user back to the application at
// /auth/twitter/callback
app.get('/auth/twitter', passport.authenticate('twitter'));
// Twitter will redirect the user to this URL after approval. Finish the
// authentication process by attempting to obtain an access token. If
// access was granted, the user will be logged in. Otherwise,
// authentication has failed.
app.get('/auth/twitter/callback',
passport.authenticate('twitter', { successRedirect: '/static/index.html',
failureRedirect: '/static/login.html' }));
... some routes ...
app.listen(8888);
I figured it out; it was 2 things:
1.)connect-redis broke sessions, still don't know why, but removing it fixed my problem after I...
2.)... moved my require routes line, which takes the app object as an argument to after my app.use statements. It makes sense now, I was passing my app object to my routes before I configured it with things like, i dunno, SESSIONS.

After user login Page Refresh is not working for Passport js

I am using the following code to authenticate users with passport js
/**
* Module dependencies.
*/
var express = require('express')
, routes = require('./routes')
, http = require('http')
, path = require('path');
var app = express();
var config = require('./config');
var User = require('./models/user');
var passport = require('passport'),
FacebookStrategy = require('passport-facebook').Strategy;
//setting up passport
passport.serializeUser(function(user, done){
done(null, user.id);
});
passport.deserializeUser(function(id, done){
User.findById(id, function(err, user){
done(err, user);
});
});
passport.use(new FacebookStrategy({
clientID: config.development.fb.appid,
clientSecret: config.development.fb.appSecret,
callbackURL: config.development.fb.url + 'fbauthed'
},
function (accessToken, refreshToken, profile, done) {
User.findOne({
'fbId': profile.id
}, function (err, oldUser) {
if (oldUser) {
console.log('Existing user: ' + oldUser.name + ' found and logged in');
done(null, oldUser);
} else {
var newUser = new User();
newUser.fbId = profile.id;
newUser.name = profile.displayName;
newUser.email = profile.emails[0].value;
newUser.username = profile.username;
console.log(profile);
newUser.save(function (err) {
if (err) throw err;
console.log('New user:' + newUser.name + 'created and logged in');
done(null, newUser);
});
}
});
}
));
app.configure(function(){
app.set('port', process.env.PORT || 5000);
app.set('views', __dirname + '/views');
app.set('view engine', 'jade');
app.use(express.favicon());
app.use(express.logger('dev'));
app.use(express.cookieParser());
app.use(express.session({secret: 'big secret'}));
app.use(passport.initialize());
app.use(passport.session());
app.use(express.bodyParser());
app.use(express.methodOverride());
app.use(app.router);
app.use(express.static(path.join(__dirname, 'public')));
});
app.configure('development', function(){
app.use(express.errorHandler());
});
app.get('/', routes.index);
app.get('/fbauth', passport.authenticate('facebook', {scope: 'email'}));
app.get('/fbauthed', passport.authenticate('facebook',{ failureRedirect: '/'}), routes.loggedin);
app.get('/logout', function(req,res){
req.logOut();
res.redirect('/');
});
//app.get('/users', user.list);
http.createServer(app).listen(app.get('port'), function(){
console.log("Express server listening on port " + app.get('port'));
});
The above code works great for when users are authenticating, however after authentication a page refresh throws an error like below.
Express
500 failed to obtain access token (status: 400 data: {"error":{"message":"This authorization code has been used.","type":"OAuthException","code":100}})
at /home/colm/javascript/facebookauth/node_modules/passport-facebook/node_modules/passport-oauth/lib/passport-oauth/strategies/oauth2.js:125:38
at exports.OAuth2.getOAuthAccessToken (/home/colm/javascript/facebookauth/node_modules/passport-facebook/node_modules/passport-oauth/node_modules/oauth/lib/oauth2.js:131:18)
at passBackControl (/home/colm/javascript/facebookauth/node_modules/passport-facebook/node_modules/passport-oauth/node_modules/oauth/lib/oauth2.js:77:9)
at IncomingMessage.exports.OAuth2._request.request.on.callbackCalled (/home/colm/javascript/facebookauth/node_modules/passport-facebook/node_modules/passport-oauth/node_modules/oauth/lib/oauth2.js:94:7)
at IncomingMessage.EventEmitter.emit (events.js:126:20)
at IncomingMessage._emitEnd (http.js:366:10)
at HTTPParser.parserOnMessageComplete [as onMessageComplete] (http.js:149:23)
at CleartextStream.socketOnData [as ondata] (http.js:1447:20)
at CleartextStream.CryptoStream._push (tls.js:544:27)
at SecurePair.cycle (tls.js:898:20)
What is causing this and how can I fix this problem?
Any help would be great. Thanks.
The route which is used to handle the FB callback should only issue a redirect (either back to the login page if the authentication failed, or the 'logged in' page when authentication succeeded).
You're calling routes.loggedin to handle that route (in case of success):
app.get('/fbauthed', passport.authenticate('facebook',{ failureRedirect: '/'}), routes.loggedin);
This will keep all the tokens passed by FB in the URL resulting in the 'This authorization code has been used' message.
So try this:
app.get('/loggedin', ensureLoggedIn('/'), routes.loggedin); // see below
app.get('/fbauthed', passport.authenticate('facebook',{
failureRedirect: '/',
successRedirect: '/loggedin'
}));
ensureLoggedIn is a middleware that will check if the user is logged in, and if not, will redirect to / (or whatever URL you like).

Resources