We have an app with the following routes
/dothis/
...//dothis routes
/dothat
...//dothat routes
/doother
...//doother routes
and a login route:
/login
and
/ //which currently actually isn't even used, would redirect to /login
Is it possible to close the routes so that actually only / and /login are accessible without authentication? Or do we need to apply a prefix to all other routes. Thanks
app.get('*', function(req, res, next) {
// console.log(everyauth);
if (!req.session.auth) {
res.redirect('/login');
} else {
next();
}
});
app.get('/login', function(req, res){
res.render('login', {
});
});
seems to work
app.all('*', Authentication, function(req, res) {
});
function Authentication(req, res, next) {
if (req is not user) {
if (req.url === '/' || req.url === '/login')
next()
}
else
next();
}
I have middleware which does exactly this: https://github.com/jaredhanson/connect-ensure-login
app.get('/dothat',
ensureLoggedIn('/login'), // redirect to /login if not logged in
function(req, res) {
// render do that;
});
It's usable stand-alone, but also integrates seamlessly with Passport, so that after login, the user will be redirected back to the URL they originally requested.
Related
I'm using PassportJS for handle the access to my application, suppose that the user has logged in, and suppose that these urls:
Login
Register
Welcome
need to redirect the user on dashboard url, only if the user has logged in, how can I do?
This is my authentication middleware:
module.exports = {
ensureAuthenticated: function(req, res, next){
if(req.isAuthenticated()){
return next();
}
res.render('index/forbidden');
}
};
Example:
User go to login
No session
Stay on the page
(already works)
User go to login
Already logged in
Redirect to dashboard
You can create another middleware to redirect if logged in and add it to the routes that don't need login. You are basically doing the opposite.
module.exports = {
ensureAuthenticated: function(req, res, next){
if(req.isAuthenticated()){
return next();
}
res.render('index/forbidden');
},
ensureNOTAuthenticated: function(req, res, next){
if(req.isAuthenticated()){
return res.redirect('/dashboard')
}
return next();
}
};
For routes that need auth:
app.get('/dashboard', ensureAuthenticated, (req,res)=>{...});
For routes that dob't need auth:
app.get('/login', ensureNOTAuthenticated, (req,res)=>{...});
I followed the documentation for passport.js with passport-local: http://www.passportjs.org/docs/authorize/
When I send my users to /login they are authenticated, but nowhere in that document can I find how to authorise my users.
I've tried this, but that gives me a bad request:
router.get('/somepage', passport.authenticate('local'), function(req, res, next) {
});
I'm looking for way to protect all my pages at once. I'm working with Express 4.16 and use different route files to split up my routes.
Sam
you can use middleware with a small trick to switch between strategies
example:
const allowUrl = ['public', 'nonprivate','home'];
const authenticationMiddleware = (whiteList =[]) => (req, res, next) => {
if(whiteList.find(req.baseUrl)) {
next();
}
if (req.isAuthenticated()) {
return next()
}
res.redirect('/');
}
app = express();
app.use(passort.initialize());
app.use(authenticationMiddleware(allowUrl));
app.use(apiRouter);
app.listen(3000, ()=> console.log('hello internet');
you can add your middleware code like below
router.get('/', isAuthenticated, function(req, res) {
//your next function
});
function isAuthenticated(req, res, next) {
// do any checks you want to in here
// CHECK THE USER STORED IN SESSION FOR A CUSTOM VARIABLE
// you can do this however you want with whatever variables you set up
if (req.user.authenticated)
return next();
// IF A USER ISN'T LOGGED IN, THEN REDIRECT THEM SOMEWHERE
res.redirect('/');
}
As I wanted ALL routes (except for login routes off course) to pass authorization, I solved it as follows:
var ensureAuthenticated = function(req, res, next) {
if (req.isAuthenticated()) return next();
else res.redirect('/login')
}
// usersRouter contains all open routes like '/login':
app.use('/', usersRouter);
// From here on, all routes need authorization:
app.use(ensureAuthenticated);
app.use('/', indexRouter);
app.use('/api/foo', fooRouter);
app.use('/api/bar', barRouter);
I'm not sure what do you mean by "but nowhere in that document can I find how to authorise my users". Passportjs won't authorize any user. It is an authentication middleware. Authorization is different from authentication.
I think you are looking for application level middleware. You have to use app.use to make authentication work for each request to the server.
You can read more about it here. https://expressjs.com/en/guide/using-middleware.html#middleware.application
I am looking to check user is authenticated or not before they browse something for that I have written this code.
router.use(function (req, res, next) {
console.log(req);
if(req.isAuthenticated()){
console.log("if......");
return next();
}else{
if (req.url === '/users/login' || req.url === '/users/register'){
console.log("if......2");
return next();
}else{
if (req.url === '/'){
console.log("if......3");
res.redirect('/users/register');
}else{
res.redirect('/users/login');
}
}
}
});
Now I have two questions to clear.
Is this the standard way to do this? No, please let me know how to achieve.
whenever I browse localhost:3000 my req.url = /user/login I am surprised with that too. I don't know how its even possible.
But may be cache or something not sure to clear this I must inform, Before that I had code some thing like below which was meant to intercept or validate user when he hits localhost:3000 but now I have commented that entire code.
// Get Homepage
router.get('/'/*, ensureAuthenticated*/, function(req,res){
res.render('index');
});
/*function ensureAuthenticated(req, res, next){
if(req.isAuthenticated()){
return next();
}else{
res.redirect('/users/login');
}
}
router.use(function (req, res, next) {
console.log('Time:', Date.now());
next();
});*/
middleware come in handy here.
define your middleware like
module.exports.isAuthenticated=function(req,res,next){
if(req.isAuthenticated){
return next();
}
next(error('user is not authorized'));
}
then in your route file
route.get('/home',auth.isAutheticated,goToHome);
I'm using Express 4 framework and I need basic authentication for serving static files. This is what I have now:
app.use('/files', auth);
app.use('/files', express.static(path.join(__dirname, 'files')));
This works great if I try to access /files but if I wrote URL ../files/somefile.txt authentication is not needed and I'm able to access that file. I would want all the files under the "files"-directory to be accessible only by authenticated user.
It's an old thread but I just came across the same issue. I'm using http-auth package to restrict the access to a folder in my public directory.
The middleware was working fine when requesting the protected directory (get /protectedFolder shows the prompt for the authentication), but it skips the files when they're requested directly (get /protectedFolder/file.txt displays the content of file.txt)
I solved it by switching the order of middlewares, I initially had
app.use('/protected', express.static(path.join(__dirname, '../../../protected')));
app.use('/protected', auth.connect(basic), (req, res, next) => {
next();
});
But the correct order should be:
app.use('/protected', auth.connect(basic), (req, res, next) => {
next();
});
app.use('/protected', express.static(path.join(__dirname, '../../../protected')));
I hope this helps someone.
Have you tried the following:
app.use('/files/*', auth);
var basicAuth = require('basic-auth');
var auth = function(req, res, next){
var user = basicAuth(req);
if(user && user.name == "admin" && user.pass == "admin")
return next();
else{
res.set('WWW-Authenticate', 'Basic realm=Authorization Required');
return res.send(401);
}
}
app.use(function(req, res, next){
if(req.url.indexOf('ftp') != -1){
console.log(req.url);
return auth(req, res, next);
}
else
next();
});
app.use(express.static(path.join(__dirname, 'public')));
app.use('/ftp', serveIndex('public/ftp', {'icons': true, 'hidden': true, 'view': 'details'}))
Here is my code, it works fine for me, you can try it.
app.use('/files', auth , express.static(path.join(__dirname, 'files')));
I have an app written in express.js and I'm trying to divide this application to 2 sections:
one for unauthorized users (with routes only to / - landing page, /login and /* - error404)
and second (routes will be: / - landing page, /app/* - angular SPA which will handle routing on its own)
Express is also configured to take static files from /unauth/public/
And I want to add second static folder for request from authorized routes - /auth/public
which goes to /app/*
My route config looks like this:
var authRoutes = express.Router();
var unauthRoutes = express.Router();
authRoutes.get('/app/*', function(req, res, next) {
if(!req.isAuthenticated())
return res.redirect("/login/");
res.send("AUTHORIZED");
});
unauthRoutes.get('/', function(req, res, next) {
res.send("LANDING PAGE");
});
unauthRoutes.get('/login/', function(req, res, next) {
if(req.isAuthenticated())
return res.redirect("/app/");
res.send("LOGIN PAGE");
});
unauthRoutes.get('/registration/', function(req, res, next) {
if(req.isAuthenticated())
return res.redirect("/app/");
res.send("REGISTRATION PAGE");
});
unauthRoutes.get('/*', function(req, res, next) {
res.send("ERROR 404");
});
app.use('/', authRoutes);
app.use('/', unauthRoutes);
I tried to modify req.url and call another static oruter express.static('auth/public') based on this:
Using express.static middleware in an authorized route
But I don't know, how to handle route app.get('/auth/*', ...) - previous modification will replace url and this route will never be called..
You could try something like this:
// Create your static middlewares
var unauthStatic = express.static('unauth/public');
var authStatic = express.static('auth/public');
// This goes in place of where you would normally load your static middleware
app.use(function(req, res, next) {
if (req.isAuthenticated()) {
authStatic(req, res, next);
} else {
unauthStatic(req, res, next);
}
});
edit:
if you want authenticated users to be able to access files from both the auth and unauth directories, you can make two calls to app.use, like this:
app.use(unauthStatic);
app.use(function(req, res, next) {
if (! req.isAuthenticated()) {
return next();
}
authStatic(req, res, next);
});
Remember that express uses middleware in a stack, meaning to serve a given request, all registered middleware is used in the order it's used. Once a bit of middleware calls req.send, no further middleware gets executed. Anyway, try something like this:
function Authorization(req, res, next) {
if(!req.isAuthenticated())
return res.redirect("/login");
next();
}
var AnonRouter = express.Router()
// GET /style.css will request /unauth/public/style.css
.use(express.static('unauth/public'))
.get('/', function (req, res) { })
.get('/login', function (req, res) { });
var AuthRouter = express.Router()
.use(Authorization)
// GET /app/style.css will request /auth/public/style.css
.use(express.static('auth/public'))
.get('*', function (req, res, next) {
// Handle reqs for non-static files
});
app.use('/', AnonRouter);
app.use('/app', AuthRouter);
app.get('*', function (req, res) {
res.status(404).send('404!');
});
But I don't know, how to handle route app.get('/auth/*', ...) - previous modification will replace url and this route will never be called..
This statement makes me think that you are trying to somehow handle the request after express's static middleware has been called. This is not possible: the static middleware serves static files and you cannot execute additional logic after it does so, but you can run stuff before! Note that in my code, the Authorization middleware will run before the static file is sent.