done is a method called internally by the strategy implementation. Then it navigates you, as you can see, to one of the success / error / fail methods (again, by the implementation. there are more options). Each of these options may calls to the next, where in your snippet code is the following: function(req, res) … Read more
Based on the Passport Guide req.login() is intended for this exact purpose. This function is primarily used when users sign up, during which req.login() can be invoked to automatically log in the newly registered user. Modifying krasu’s code: app.post(‘/sign’, function(req, res){ authProvider.saveUser(…do stuff), function(error, user){ if ( error ){ res.redirect(‘/sign’); } else { req.login(user, function … Read more
Ran into same issue, this is what I ended up doing! app.use doesn’t let you chain middlewares in that way. The various app.VERB functions do, but app.use doesn’t. That’s for one middleware at a time. If you split the 2 middlewares out into separate calls, you should get the results you want: app.use(‘/admin’, ensureAuthenticated); app.use(‘/admin’, … Read more
1) There are three strategies that you might take to structure your data in MongoDB: a) Array of embedded documents b) Array of embedded references c) Expanded into the parent document Strategy (a) is the first one you describe, where the Profile document contains an array of Account sub-documents. Strategy (b) is similar to strategy … Read more
If I understand correctly, the differences between the Local, Basic and Digest strategies in Passport.js are subtle but important. Here’s the rundown: Local (passport-local) Passport’s local strategy is a simple username and password authentication scheme. It finds a given user’s password from the username (or other identifier) and checks to see if they match. The … Read more
Do not store the token in localStorage, the token can be compromised using xss attack. I think the best solution will be to provide both access token and refresh token to the client on login action. save the access token in memory (e.g redux state) and the refresh token should be created on the server … Read more
For any request you can check if a user is authenticated or not using this method. app.get(‘/some_path’,checkAuthentication,function(req,res){ //do something only if user is authenticated }); function checkAuthentication(req,res,next){ if(req.isAuthenticated()){ //req.isAuthenticated() will return true if user is logged in next(); } else{ res.redirect(“/login”); } }
While not explicitly documented anywhere easily found, you can see where the the isAuthenticated and isUnauthenticated flags are set in the Passport code at https://github.com/jaredhanson/passport/blob/a892b9dc54dce34b7170ad5d73d8ccfba87f4fcf/lib/passport/http/request.js#L74. ensureAuthenticated is not official, but can be implemented via the following: function ensureAuthenticated(req, res, next) { if (req.isAuthenticated()) return next(); else // Return error content: res.jsonp(…) or redirect: res.redirect(‘/login’) } … Read more
Since version 0.6.0 (which was released only a few days ago by the time of writing this), req.logout is asynchronous. This is part of a larger change that averts session fixation attacks. See the release announcement: The other major change is that that req.logout() is now an asynchronous function, whereas previously it was synchronous. For … Read more
There’s a passReqToCallback option, see the bottom of this page for details: http://passportjs.org/guide/authorize/