Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to handle multiple auth strategies on a sails.js SPA?

How to handle multiple auth strategies on a sails.js SPA ?

I'm building a single page app built on Angular for the front-end and sailsjs for the backend. Right now I'm using sails-auth (which uses passportjs internally) to bind my authentication logic to my user model.

I have multiple passport providers installed and available on my frontend, such as passport-github and passport-facebook, but also a classic passport-local so that the user can also signup and login with just his username & password.

I would like my clients (The single page app, and maybe others in the future) to use a token after the auth instead of cookies/sessions so that it's easier to scale and cross-domain requests will also be easier. It will also make mobile integration much easier.

I know I have to use callbacks for OAuth providers, here is the flow that I'm aiming for :

enter image description here

I know that I can replace my sail-auth's sessionAuth policy by a tokenAuth policy that can read the token from the headers and query a Tokens model for example, but then my questions are :

  • When using username/password for login, the request can be made with a simple AJAX call so it is easy to pass the token back to the SPA. When using providers like github, etc., when the callback is called, should I just embed the token dynamically into the HTML that I'm serving?
  • sail-auth's policies/passport.js shows that by default it relies on built-in sessions to persist login/to serialize&deserialize the userID. How do I decouple it from sails built-in sessions so that it generates a token for the user and serve back my index with the token embedded?

Thank you in advance!

like image 676
Tristan Foureur Avatar asked Apr 20 '15 16:04

Tristan Foureur


1 Answers

On the auth route, you could go for passport.js based authentication in the backend (without session), use the token for tokenAuth and forward the token to the user.

Then for secure routes, you could place verifyToken call in your policy (intercept each route).

Disclaimer: I haven't tried this myself.

like image 160
r0hitsharma Avatar answered Oct 18 '22 01:10

r0hitsharma