Do not store the token in localStorage, the token can be compromised using xss attack. I think the best solution will be to provide both access token and refresh token to the client on login action. save the access token in memory (e.g redux state) and the refresh token should be created on the server … Read more
For any request you can check if a user is authenticated or not using this method. app.get(‘/some_path’,checkAuthentication,function(req,res){ //do something only if user is authenticated }); function checkAuthentication(req,res,next){ if(req.isAuthenticated()){ //req.isAuthenticated() will return true if user is logged in next(); } else{ res.redirect(“/login”); } }
As zeMirco points out, the underlying superagent module supports sessions, automatically maintaining cookies for you. However, it is possible to use the superagent.agent() functionality from supertest, through an undocumented feature. Simply use require(‘supertest’).agent(‘url’) instead of require(‘supertest’)(‘url’): var request = require(‘supertest’); var server = request.agent(‘http://localhost:3000’); describe(‘GET /api/getDir’, function(){ it(‘login’, loginUser()); it(‘uri that requires user to be … Read more
There’s a passReqToCallback option that you can enable, like so: passport.use(new LocalStrategy( {usernameField: ’email’, passReqToCallback: true}, function(req, email, password, done) { // now you can check req.body.foo } )); When, set req becomes the first argument to the verify callback, and you can inspect it as you wish.
There are many questions asked here, and it seems that even though the questions are asked in the context of Node and passport.js the real questions are more about workflow than how to do this with a particular technology. Let’s use @Keith example setup, modified a bit for added security: Web server at https://example.com serves … Read more
Brice’s answer is great, but I still noticed an important distinction to make; the Passport guide suggests using .logout() (also aliased as .logOut()) as such: app.get(‘/logout’, function(req, res){ req.logout(); res.redirect(“https://stackoverflow.com/”); //Can fire before session is destroyed? }); But as mentioned above, this is unreliable. I found it behaved as expected when implementing Brice’s suggestion like … Read more
Follow the example to avoid the out-of-order middleware hell that express makes it so easy to enter. Straight from the docs. Note how yours does not match this exactly. var app = express(); app.use(require(‘serve-static’)(__dirname + ‘/../../public’)); app.use(require(‘cookie-parser’)()); app.use(require(‘body-parser’).urlencoded({ extended: true })); app.use(require(‘express-session’)({ secret: ‘keyboard cat’, resave: true, saveUninitialized: true })); app.use(passport.initialize()); app.use(passport.session()); Docs cookieParser session … Read more
In your ensureAuthenticated method save the return url in the session like this: … req.session.returnTo = req.originalUrl; res.redirect(‘/login’); … Then you can update your passport.authenticate route to something like: app.get(‘/auth/google/return’, passport.authenticate(‘google’), function(req, res) { res.redirect(req.session.returnTo || “https://stackoverflow.com/”); delete req.session.returnTo; });
Here is a solution using Socket.IO 1.0 and Express 4.0. It is similar in spirit to Patrick’s answer. The trick is that since Socket.IO 1.0 has a new middleware API, we can wrap Express’s middleware and put it into the Socket.IO pipeline without delving into the low-level implementation of the session stores. // Set up … Read more
I’ve had the same problem you describe. The web site I’m building can be accessed from a mobile phone and from the browser so I need an api to allow users to signup, login and do some specific tasks. Furthermore, I need to support scalability, the same code running on different processes/machines. Because users can … Read more