I'm using Node.js and intend to use Passport for authentication. However, all of the examples I see online assume the user has already been created. I'd like to know how to create a user's session correctly, after they are saved in the database (I have this part working), so that Passport will recognize them. (I do not want to save the new user and then force them to go to a login page.)
Just call:
// user is the user instance you just registered and created
req.logIn(user, function(err) {
if (err) return next(err);
// login success!
res.redirect('/home'); // or whereever
});
Documentation for this function is in the code (I need to add it to the guide):
https://github.com/jaredhanson/passport/blob/master/lib/http/request.js
Related
Using passport in an express app. For reasons, the session tokens expire after one hour.
If the user is active when the session expired, the deserialize function "fails", i.e., user is undefined.
passport.deserializeUser(function (id, done) {
const user = sessionManager.userLookup(id);
done(null, user);
});
The trouble is that when user is undefined, then there is no req.user for subsequent middleware. So to the code it simply appears that the user is not signed in, with no breadcrumbs to indicate that the session just expired. The app simply redirects all request from unauthenticated users to /login.
For a user in the middle of a workflow, this experience is sub-optimal.
The expiration can be detected within passport.deserializeUser() like this:
passport.deserializeUser(function (id, done) {
const user = sessionManager.userLookup(id);
const errorInfo = ( expire logic check ) ? 'session has expired' : null;
done(errorInfo, user);
});
I can get the logic check right with the sessionManager. The trouble with this solution is that passport sends the user a 500 Internal Server Error, which is also sub-optimal.
What I would like is for the app to send a flash error saying the session has expired. But passport.deserialize() has no visibility to the req object for calling req.flash().
At this point the only way I can think to resolve the issue is to insert a middleware before passport, where the code would lookup the user in the session manager and call req.flash() if the session has expired. It seems like passport should provide a better way to handle such errors.
Answers would be extra-helpful if they include a link to documentation for passport.deserialize(). The only docs I have found here make no mention of how passport handles errors or if it is possible to configure or override the behavior.
UPDATE
After some reflection, flash is not the best mechanism for reporting the session expiration. The app should instead redirect to a "session expired" page. However, the main question still stands. The call changes from req.flash() to res.redirect(), but neither of these objects is available in passport.deserialize().
you can add req as a first parameter in the function, like this:
(also, recommend you use arrow function)
passport.deserializeUser(async (req, id, done) => {
req.flash('error', {});
(...)
});
In my NodeJS application I use express-session for sessions, express-mysql-session to store the session to MariaDB, Passport for authentication and Sequelize for ORM.
The problem I have right now is that I do not know how to refresh a session of a user whose permissions have been changed by an admin of the application.
I tried something like req.logIn() but this refreshes only the session of the admin who is doing the permission changes.
My code looks like this:
editUser = function (req, res) {
var userData.id = req.body.id;
userdata.access = req.body.access;
models.User.update(userData, {where: {id: userData.id}})
.then(function (affectedRows) {
// User has been updated.
// Changes should be active without having the user to log out and log in again
});
);
}
Has anyone an idea how I can refresh the session of the user whose permissions have been changed by another user?
The express-mysql-session needs a table and few fields configured to store the sessions info.
One of those fields is called expires.
If you set that field to Date.now(), the user should have its session expired.
Update:
After reading your comment and looking through their code, we can see that the data stored in the session row in DB is a serialized JSON.
Since you're able to identify that user's session in the DB, you could also:
read the session's data,
JSON.parse() it,
update the .roles array (the property where you
keep user's role),
JSON.stringify() it and save it back to DB.
I have found a solution for my problem at the following thread PassportJS - Is it possible to change req.user for another user?
I updated my passport.deserializeUser() to make a db request and reload the user. The queried user is then commited to the callback. The function now looks like this:
passport.deserializeUser(function(user, done) {
models.User.findOne({where: {id: user.id}})
.then(function(updatedUser) {
done(null, updatedUser);
}, function(err) {
console.error(err);
done(null, user);
});
});
I'm using express js and passport js as authentication system also using view engine. I'm looking for a solution that would give access to user and let users see their file, not the other one's file. for example, in the image folder, the user would access to their files and after that, I want to pass these files to view engine. If I use the public folder, anyone is able to see every file in there. what solution do you recommend?
You should create a directory for each users.
then, for example, your URL is /show/files
the inside your logic, filter the directory by user info.
app.get('/show/files', (req,res)=>{
// filter resources by user info
})
don't forget to create a secure URL for your resources.
Bad Idea: /images/amin/profile.png
Good Idea:
create a route to serve your resources.
app.get('/resources', (req,res)=>{
// add query parameter for resource for example profile.png
// then check user directory and send it
})
your url converts into
/resousrce?file=profile.png
I assume you already have a login system in place, so all you have to do, is create a middleware that checks if the user is logged in, and checks if the image is his image.
app.use("/user/:user/**",function(req,res){
if (req.params.user == thisuser){
//serve the file
} else {
res.status(403); //access denied
res.end();
}
//check based on cookies whether the user has the permission to view this image
});
I would suggest you to use Passport.Js local authentication. You can look into the official docs - http://www.passportjs.org/docs/authenticate/ I personally have used this in the same scenario you're in.
Here is a litte code snippet of the custom middleware function I wrote using passport -
module.exports = {
ensureAuthenticated : function(req, res, next){
if(req.isAuthenticated()){
return next();
}
req.flash('error_msg', 'Please login to view this resource.')
res.redirect('/users/login');
}
}
Feel free to check the entire solution on my github repo -
https://github.com/StechAnurag/loginsys
In my application, users sign in use their email as the unique identifier. But I am asked to implement a function which lets user change their email in the profile page after they log in. The issue is even if I can make the database successfully update, the client session stores the old information. Then if I try to do (e.g. GET) something, the req.user.email will not be in the database. How to handle such issue? Or in another word, how to update the express session correctly?
Once you sure the user data can be put in the session, you can just call req.logIn again (this function has been called by passport in the login process), and it will call the process correctly (e.g. calling the serializeUser function, etc)
req.logIn(newUser, function (err) {
if (err) {
// Ops! Something went wrong!!
}
});
Hope it can help!
I have created node js app using express framework.
I have created middleware for restricting access to some routes.
Middleware actually works fine. but i have difficulties in displaying data.
Suppose In My app i have created route for display list of countries('/country/master')i.e html page which is using internally different/default route ('/country/') to get data from mongoDB.
In this case user will not able to see data cause i have not given permission to "/" routes. but i want to display data but not allow him to make use of "/" route to check data.
How can i deal with this case ????
The answer depends on your authentication strategy i.e. are you using session identifiers, access tokens, etc.
In either case I suggest that you break out the credential exchange (aka login) from the authentication. They should be separate middleware functions. Below is an example of what this looks like.
While this answers your question, specific to ExpressJS, it does leave out a lot of other details that matter when you are building an authentication system (like how to securely store passwords). I work at Stormpath, we provide user management as an API so that you don't have to worry about all the security details! It's very easy to integrate our API into your application, using the express-stormpath module. You'll have a fully featured user database in minutes, without having to setup mongo or a user table.
All that said, here's the example:
/* pseudo example of building your own authentication middleware */
function usernamePasswordExchange(req,res,next){
var username = req.body.username;
var password = req.body.password;
callToAuthService(username,password,function(err,user){
if(err){
next(err); // bad password, user doesn’t exist, etc
}else{
/*
this part depends on your application. do you use
sessions or access tokens? you need to send the user
something that they can use for authentication on
subsequent requests
*/
res.end(/* send something */);
}
});
}
function authenticate(req,res,next){
/*
read the cookie, access token, etc.
verify that it is legit and then find
the user that it’s associated with
*/
validateRequestAndGetUser(req,function(err,user){
if(err){
next(err); // session expired, tampered, revoked
}else{
req.user = user;
next();
}
});
}
app.post('/login',usernamePasswordExchange);
app.get('/protected-resource',authenticate,function(req,res,next){
/*
If we are here we know the user is authenticated and we
can know who the user is by referencing req.user
*/
});
You can positioning of middleware in you app.for example:-
app.get('/country/master',function(req,res){
})
app.use(function(req,res){
your middle ware for providing authentication
})
// other routes where authentication should be enabled
app.get('other urls')