How to handle multiple auth strategies on a sails.js SPA ?
I'm building a single page app built on Angular for the front-end and sailsjs for the backend. Right now I'm using sails-auth (which uses passportjs internally) to bind my authentication logic to my user model.
I have multiple passport providers installed and available on my frontend, such as passport-github and passport-facebook, but also a classic passport-local so that the user can also signup and login with just his username & password.
I would like my clients (The single page app, and maybe others in the future) to use a token after the auth instead of cookies/sessions so that it's easier to scale and cross-domain requests will also be easier. It will also make mobile integration much easier.
I know I have to use callbacks for OAuth providers, here is the flow that I'm aiming for :
I know that I can replace my sail-auth's sessionAuth policy by a tokenAuth policy that can read the token from the headers and query a Tokens model for example, but then my questions are :
When using username/password for login, the request can be made with a simple AJAX call so it is easy to pass the token back to the SPA. When using providers like github, etc., when the callback is called, should I just embed the token dynamically into the HTML that I'm serving?
sail-auth's policies/passport.js shows that by default it relies on built-in sessions to persist login/to serialize&deserialize the userID. How do I decouple it from sails built-in sessions so that it generates a token for the user and serve back my index with the token embedded?
Thank you in advance!
On the auth route, you could go for passport.js based authentication in the backend (without session), use the token for tokenAuth and forward the token to the user.
Then for secure routes, you could place verifyToken call in your policy (intercept each route).
Disclaimer: I haven't tried this myself.
Ive been using these steps for a while now.
Step 1 ( Globals ): $ npm install -g sails
Step 2 ( App ): $ sails new myApp
Step 3 ( Files ): Copy every file in https://github.com/carlospliego/sails-token-auth-setup to its corresponding folder
Step 3A To have another authentication strategy just add another file in the app/policies/ directory
Here is an example of what that might look like
module.exports = function hasValidProductApiToken(req, res, next) {
if(someCondition){
next(); // Call next to continue
}
};
Step 4 ( Policies ): Add this code to your config/policies.js
'*': "hasToken",
UserController: {
"create": true
},
AuthController: {
'*': true
}
Step 5: change the value of config/tokenSecret.js
Step 6: ( Dependencies )
npm install --save passport
npm install --save passport-local
npm install --save bcrypt-nodejs
npm install --save jsonwebtoken
npm install --save express-jwt
Your endpoints will look like this:
POST/GET/PUT/DELETE user/
POST auth/login
DELETE auth/logout
Here is a great guide on how to create token based authentication in sails: https://github.com/carlospliego/sails-token-auth-setup
Related
I want to dev a backend with NestJS on one of my company project.
I've to check if the user is logged through the CAS (Central Authentication Service).
I wanted to use "express-cas-authentication" npm module, but I can't find out how to implement it in the main.ts file from NestJS.
Here's the npmjs doc page : https://www.npmjs.com/package/express-cas-authentication
Actually, the following lines are annoying me :
app.get( '/app', cas.bounce, function ( req, res ) {
res.send( '<html><body>Hello!</body></html>' );
});
It's not something that works on NestJS as I can see, if someone has a clue it'd be a great help!
Good evening Ladies and Sirs!
I'm trying to use the same jwt to authenticate against a Nest backend across server reseeds. When I say 'reseed', I mean
npm run schema:drop && npm run migration:run
In the migration, a user is created with a predefined username and password - Logging in with username and password indeed works across reseeds, but a previously acquired jwt doesn't work anymore after reseeding.
Is there a way to make this work?
I am want to build an app which has a static frontend ( target: 'static' in nuxt.config.js ), and a backend using ktor. The app will need to authenticate users but I do not want to manage passwords and things myself, so I would like to integrate with AWS Cognito. Based on my understanding, I think this is the workflow I want:
User is browsing the site anonymously (no login)
They do some action which requires login or explicitly click on login button.
User gets redirected to AWS Cognito ui for login. They may register for new account, login with their existing, or login using another provider (after configuring cognito for it).
Cognito ui redirects user back to the app ui but with JWT tokens in query params (I think this is just how cognito does it)
The JWT token (s?) get stored in vuex store / nuxt auth
The token is used when making requests to the backend. As well as showing some additional components / actions if the user is authenticated and their basic info like username (part of jwt?)
I think I have cognito and the ktor backend setup correctly but I don't know how to get started for the frontend.
The nuxt auth module guide says to set up middleware, but afaik middleware is only for server side rendered apps.
I need to activate the vuex store but I don't know what to put there. Are there some specific things the auth module expects or do I just create an empty file in the directory?
How do I tell it when to redirect or read the token from query param?
How to parse the JWT token (if it doesn't automatically) and get some payload info like username from it?
Does the axios module get configured automatically to make use of this?
I found this old github issue 195 in the auth module repo, but I believe that's for when the "login form"/ui is part of the nuxt app and client is making use of the cognito api without 'redirect'.
Unfortunately everything in this stack is new for me so any help is appreciated. If there is already a project doing something similar, I look at the code and try to figure it out but right now I'm lost.
update 2020-12-31, mainly so that I can put a bounty on this soon: The live demo at https://auth0.nuxtjs.org/ seems to be doing what i'm looking for but then the github page read me shows something else https://github.com/nuxt/example-auth0. Also i don't see middleware / plugins used anywhere. it's all mostly configured through nuxt config, so it only works for the auth0 custom provider?
I was having the same issue as you:
How do I tell it when to redirect or read the token from query param?
I solved this by configuring auth.redirect.callback to match the endpoint that cognito will callback with the token. I believe this will tell the middleware when to look for a new token in the query param.
nuxt.config.js:
auth: {
redirect: {
callback: '/signin',
...
},
strategies: {
awsCognito: {
redirectUri: "http://localhost:8080/signin",
...
}
}
}
And to answer your other questions:
The nuxt auth module guide says to set up middleware, but afaik middleware is only for server side rendered apps.
I tried this setup with ssr: false and it still works fine.
I need to activate the vuex store but I don't know what to put there. Are there some specific things the auth module expects or do I just create an empty file in the directory?
An empty index.js file is fine.
How do I tell it when to redirect or read the token from query param?
See first answer above.
How to parse the JWT token (if it doesn't automatically) and get some payload info like username from it?
From my initial testing I found that the middleware will automatically call the userInfo endpoint when user data is requested e.g. this.$auth.user.email
strategies: {
awsCognito: {
scheme: "oauth2",
endpoints: {
userInfo: "https://x.amazoncognito.com/oauth2/userInfo",
ref: https://docs.aws.amazon.com/cognito/latest/developerguide/userinfo-endpoint.html
Does the axios module get configured automatically to make use of this?
Yes.
I want to understand whether nuxt-auth uses serverMiddleware and if not how can i implement one. I want to make my admin panel really secured, I have my backend secured however even if someone manages to overcome auth middleware on the frontend, which won't be that difficult(if auth Module uses client-side middlewares), I don't want nuxt to provide him/her with the layout and all pages even though I know that he/she is not going to be able to do anything because my routes on the backed require token verification and account data. If you can, please provide some info on the subject. Thanks!!!
So in short you cannot use the middleware provided by the #nuxtjs/auth plugin as a serverMiddleware, you can only use it as a normal middleware.
But that doesn't mean that it's insecure, normal middlewares actually executes both on server and client side before the page is rendered, so if you want to execute a middleware that will throw a 404 if the user isn't logged in you can do this in a normal middleware too, the serverMiddleware's capabilities are actually limited, you can't access nor the store or any client side information, because you only get (req,res, next) as parameters, and since Authentication is stored in store and cookies you can't make it work in Node.js only. This is a good example of what you can use serverMiddleware for: https://jackwhiting.co.uk/posts/handling-redirects-in-nuxtjs-through-middlware/
If you console.log something in normal middleware you should be able to see it both in your developer console and bash where npm run dev is running, this would mean that first the server executes it and then the client side too.
I am trying to build an app with Meteor that involves the user signing in with twitter, facebook, or google+, and then posting to those accounts from within the application.
First I'm trying to get twitter to work. I have my twitter sign in working, with the permission to tweet on their behalf working, but how to I actually send a tweet?
I think I need this: https://dev.twitter.com/docs/api/1.1/post/statuses/update but I can't figure out how the authentication works with Meteor.
Are there any examples that can help me here? Or tutorials?
You need an API to help you a bit unless you want to do it manually using REST with Meteor.http. I'd recommend you get meteorite: https://github.com/oortcloud/meteorite
Its installed like a node module via npm install -g meteorite
Meteorite is a wrapper for meteor that lets you use the community packages over at http://atmosphere.meteor.com
The twitter package you could use is twitter-api installed via mrt add twitter-api : https://github.com/Sewdn/meteor-twitter-api
Once added using the server api you can add a tweet via:
Server JS
var twitter = new Twitter();
Meteor.methods({
postTweet: function (text) {
if(Meteor.user())
twitter.postTweet(text),
return true;
}
});
Client JS
//Use this in your click handler where you want to post a tweet:
Meteor.call("postTweet", "This is Twweeeeeetttt!", function(err,result) {
if(!err) {
alert("Tweet posted");
}
});
The api takes care of the user's oauth tokens so you don't have to worry too much