Can't authenticate mobile client with node.js (using passport.js)

Question

I'm trying to build some CRUD application with node.js as a back-end API (express) and web-app (backbone) and mobile client (native android) as front-ends.(I'm node.js beginner)

My server solution is based on the following great tutorial 'easy-node-authentication'.

In my android app I have managed to get the user Google-Token after I completed the authentication step with Google Plus SDK.(mobile to google-plus directly request).

I'm trying to understand and find right and elegant way to re-use a given google-token and authenticate again my android user through Google-Plus account to ensure the mobile client holds real token, then add a new entry (id, token, email, name) to my users table DB within my node back-end.

The question is: what should be my next step in case I want to keep my back-end without changes? should I send a GET request with the token as a cookie to /auth/google? maybe to /auth/google/callback? another URL? Does this make sense at all?

Please note: I'm aware to the fact the mentioned above 'easy-node-auth' solution is based on sessions and cookies. having said that, i'm still trying to understand if there is a convenient way to integrate both (android and node) as it works good for my web-app and node.

Answer 1

Ok I had the same issue with facebook authentication. The easiest would be to only use the SIGNUP solution described in http://scotch.io/tutorials/javascript/easy-node-authentication-google but keep the google auth LOGIN on the client side. You authentication flow must be the same whatever client is using your app. (Browser, Android app, etc..)

So you would need to do the following things (well described here https://developers.google.com/accounts/docs/OAuth2UserAgent):

1. Set up the Google oauth2 login on the browser side (Using the JS SDK) using AJAX. The AJAX response should contain some kind of access token.

2. For every request made from either browser or native client, send the google access token in the Authorization header and check it with nodeJS it against https://www.googleapis.com/oauth2/v1/tokeninfo. This will give you the user ID (that you saved in you DB in the signup phase) and check the validity of the token.

So it hurst but you should get rid of the passport module that does the OAuth2 login on google. It turns out that step 2 can be done using nodeJS passport-google-token module! So this should not be too much work.

Good luck

Answer 2

As I understand it, this scenario is a bit unique in that you have a client (the android app) that has authenticated itself without the use of your backend application. But the backend application will be used in subsequent requests and you need to authenticate to that backend app? If so, then I think as you build this out you'll hit problems with trusting your clients on the backend system, unless it can validate the credentials of the client. If the backend system could somehow validate this token (from Google) belongs to a certain user, then you could enforce authorization. Otherwise the backend system would trust all clients that have any "token" no matter the quality (again, please correct me if my understanding is wrong).

It might be better if the backend system could be the one who retrieves this token from Google, which would then make it responsible for authentication. The client would send the necessary credentials perhaps, which could be sent to create the token. From then you could easily use cookies to transport the token back and forth within the HTTP requests.

Another option is to build a separate authentication scheme using username/password combination, which is separate from the token that the phone retrieves. It's just hard to protect the data in the backend (if that is your intention) from any client without validating the client in some way.

Once you decide how to authenticate a user, restricting your APIs based on if a user is authenticated is relatively easy (using something like Passport as you described above). On the client side, I've found an simple pattern to follow is to redirect users to a login page if any APIs return with a 401 (Unauthorized).