Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

nodejs passport authentication token

Tags:

authentication

node.js

express

passport.js

I am writing a nodejs application that I would like to use as both a web application, as well as an API provider. Once a user is authenticated, I want to assign that user a token to be used for subsequent requests. This works great with passport for the web application, as I just serialize and deserialize the user with the token in the session. However, when responding to API requests, there is no cookie to set to store the session information. Ideally, passport would look for the token both in session and the request body. Is there any way to configure passport to accomplish this?

like image 334
Austin Avatar asked Jul 01 '13 03:07

Austin

People also ask

How can I get Passport token?

Requesting Tokens Once you have created a password grant client, you may request an access token by issuing a POST request to the /oauth/token route with the user's email address and password. Remember, this route is already registered by the Passport::routes method so there is no need to define it manually.

Does Passport use JWT?

A Passport strategy for authenticating with a JSON Web Token. This module lets you authenticate endpoints using a JSON web token. It is intended to be used to secure RESTful endpoints without sessions.

What is Passport token?

This module lets you authenticate using a token in your Node. js applications. It is based on passport-local module by Jared Hanson. By plugging into Passport, token authentication can be easily and unobtrusively integrated into any application or framework that supports Connect-style middleware, including Express.

Which is better JWT or Passport?

It seems that Passport with 15.9K GitHub stars and 936 forks on GitHub has more adoption than JSON Web Token with 2.59K GitHub stars and 259 GitHub forks.

2 Answers

Simply use the access token on every request. Using a session is NOT needed. The following is the workflow:

POST /signin
  1. The username and password are posted in the client request.
  2. The server authenticates the user by using passport's Local Strategy. See passport-local.
  3. If the credentials represent a valid user, the server returns the access token generated by some generator. node-jwt-simple is a good choice.
  4. If the credentials are invalid, redirect to /signin.

When the client receives the access token from the authorization server, it can then make requests to protected resources on the server. For example:

GET /api/v1/somefunction?token='abcedf'

  1. The client calls some server api with the token argument.
  2. The server authenticates the token by using passport's Bearer Strategy. See passport-http-bearer.

References

Make a secure oauth API with passport.js and express.js (node.js)

like image 127
bnuhero Avatar answered Oct 18 '22 03:10

bnuhero

As bnuhero mentions you don't need sessions (although that approach has its merits too). Here's a boiler-plate project that I'm starting for this: https://github.com/roblevintennis/passport-api-tokens

Here's an alternative and easy to follow tut (but it DOES use sessions). Might be a nice cross-reference: http://scotch.io/tutorials/javascript/easy-node-authentication-setup-and-local

And one more reference related: http://mherman.org/blog/2013/11/11/user-authentication-with-passport-dot-js/

like image 24
Rob Avatar answered Oct 18 '22 03:10

Rob
Sign in to Comment

Related questions

How to use preload.js properly in Electron
Preventing XSS in Node.js / server side javascript
why is javascript node.js not on google app engine
Running a node express server using webpack-dev-server
Express routes parameter conditions
Retrieve last inserted id with Mysql
webpack command not working
How to get a variable from a file to another file in Node.js
Multiple optional route parameters in Express?
Express Passport (node.js) error handling
configure node express to serve static bower_components?
Node.js - Get number of processors available
How to fix curl: (60) SSL certificate: Invalid certificate chain
NodeJS w/Express Error: Cannot GET /
MomentJS getting JavaScript Date in UTC
How can I solve "ReferenceError: expect is not defined" error message?
Make node.js not exit on error
How to update package-lock.json without doing npm install?
Why do we need, what advantages to use mongoose [closed]
Express.js get http method in controller

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!