Working with Node, Express, and Passport.
Okay, so my team and I are building a REST API for a dual-sided marketplace type application. We have already set up a basic LocalStrategy for email and password login.
We want to make the API user-agent agnostic, so we can use the API via web, Android, or iOS.
But where we are getting confused is with the FB login flow. The question is, what exactly goes on behind the scenes in Passportjs. We have looked into the 'passport-facebook' and 'passport-facebook-token' strategies, and can't really decide which one to go with.
This is my current understanding of the flow:
If this is correct, am I better off having the client get the access_token from FB then sending it to me, or just letting FB handle it via redirects and the callback URL?
Passport-token:
passport.use('facebook-token', new FacebookTokenStrategy( {
clientID: 'xxx',
clientSecret: 'xxx'
}, function(accessToken, refreshToken, profile, done) {
// asynchronous
//console.log("into passport auth");
process.nextTick(function() {
User.findOne({'facebook.id': profile.id}, function(error, user) {
console.log("user is " + JSON.stringify(user));
console.log("profile is " + JSON.stringify(profile));
//do user creation stuff etc.
return done(error, user);
});
});
}));
authRouter.post('/facebook', passport.authenticate('facebook-token'), function (req, res) {
console.log("into controller");
if (req.user){
//log the user in since they successfully authenticated with facebook.
req.login(user);
res.status(200).end();
} else {
res.status(401).end();
}
});
Passport-facebook:
passport.use('facebook', new FacebookStrategy( {
callbackURL: "http://75.128.65.176:8080/auth/facebook/callback",
clientID: 'xxx',
clientSecret: 'xxx'
}, function(accessToken, refreshToken, profile, done) {
// asynchronous
//console.log("into passport auth");
process.nextTick(function() {
User.findOne({'facebook.id': profile.id}, function(error, user) {
console.log("user is " + JSON.stringify(user));
console.log("profile is " + JSON.stringify(profile));
//do user creation stuff etc.
return done(error, user);
});
});
}));
// Redirect the user to Facebook for authentication. When complete,
// Facebook will redirect the user back to the application at
// /auth/facebook/callback
authRouter.get('/facebook', passport.authenticate('facebook'));
// Facebook will redirect the user to this URL after approval. Finish the
// authentication process by attempting to obtain an access token. If
// access was granted, the user will be logged in. Otherwise,
// authentication has failed.
authRouter.get('/facebook/callback',
passport.authenticate('facebook', { successRedirect: '/',
failureRedirect: '/login' }));
Any details/elaboration on how this flow actually works would be GREATLY appreciated!
This module lets you authenticate using Facebook in your Node. js applications. By plugging into Passport, Facebook authentication can be easily and unobtrusively integrated into any application or framework that supports Connect-style middleware, including Express.
So to authenticate an API route using passport-facebook-token, you'll need to set up a passport strategy like so: passport. use('facebook-token', new FacebookTokenStrategy({ clientID : "123-your-app-id", clientSecret : "ssshhhhhhhhh" }, function(accessToken, refreshToken, profile, done) { // console.
Passport is a popular, modular authentication middleware for Node. js applications. With it, authentication can be easily integrated into any Node- and Express-based app. The Passport library provides more than 500 authentication mechanisms, including OAuth, JWT, and simple username and password based authentication.
Passport is authentication middleware for Node. js. As it's extremely flexible and modular, Passport can be unobtrusively dropped into any Express-based web application. A comprehensive set of strategies supports authentication using a username and password, Facebook, Twitter, and more.
Verify if the 2 flows shown are correct.
Yes, they are correct.
Q: I have a list of APIs. How can I protect them with passport-facebook strategy
You have serveral options:
Facebook token
Facebook token
along with the user informationFacebook token
each time it calls an APIFacebook token
More information about how to validate Facebook token
here.
JWT
after retreiving the Facebook user informationJWT
each time it calls an APIJWT
This way, the server does not have to send the request to Facebook to validate the Facebook token
. More information here.
Q: If I'm using passport-facebook-token, how do I tell user to go and login on facebook
Your /api/auth/facebook
only accepts Facebook token
and returns corresponding HTTP code
. Thus, asking the user to go and login in Facebook is the job of the client.
More information about how to create a Facebook login manually here.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With