0

I'm trying to implement a login/sign-up system similar to StackOverflow's, which is to say:

  1. Both the sign up and login links go to /users/login,
  2. Users click on an OAuth provider (e.g. Google) regardless of whether they're signing up or logging in,
  3. The OAuth callback goes to /users/authenticate if the account doesn't yet exist (page to confirm account creation), OR goes to / if the account already exists.
  4. (I'm adding an administrator account verification step here if the account is new, but not too important for this question.)

I'm not sure I'm going about this correctly. Relevant code below.

See if the profile exists in the database; if not, return the in-memory profile with the status = "new":

passport.use(new GoogleStrategy({
        clientID: config.google_client_id,
        clientSecret: config.google_client_secret,
        callbackURL: "/auth/google/callback"
    },
    function (accessToken, refreshToken, profile, done) {
        // asynchronous verification, for effect...
        process.nextTick(function () {
            db.db.collection("users", function (err, collection) {
                if (err) throw err;
                collection.findOne({id: profile.id}, function (err, record) {
                    if (record) return done(null, record);

                    profile.status = "new";
                    done(null, profile);

                });
            });
        });
    })
);

Pick the redirect route after OAuth based on status:

app.get('/auth/google/callback',
    passport.authenticate('google', { failureRedirect: '/users/login' }),
    function (req, res) {
        switch (req.user.status) {
            case "validated":
                res.redirect('/'); break;
            case "new":
                res.redirect('/users/oauthconfirm'); break;
            case "pending":
                res.redirect('/users/login'); break;
        }
    }
);

And finally, the route for confirming a new account:

// app.js
app.get('/users/oauthconfirm', routes.users.oauthconfirm);
// routes/users.js
exports.oauthconfirm = function(req, res) {
    db.db.collection("users", function (err, collection) {
        if (err) throw err;
        collection.insert(req.user, function (err, records) {
            if (err) throw err;
            res.render('login', {messages: [{status: "success", text:"Thank you. You will receive an e-mail when your account is validated."}]});
        });
    });
};

What's the "correct" way to do this? I'm pretty sure my verify callback code is inappropriate. Thanks-

laggingreflex
  • 32,948
  • 35
  • 141
  • 196
ZachB
  • 13,051
  • 4
  • 61
  • 89
  • http://stackoverflow.com/questions/10111445/passport-different-redirect-for-login-and-account-registration?rq=1 Similar and suggests I am doing it more or less correctly. – ZachB Jul 20 '13 at 20:04

1 Answers1

0

How to OpenId with passport-google: OpenId configure strategy

How to Oauth with passport-google-oauth: OAuth configure strategy

By reading your code I can't actually tell which one you are trying to apply. Seems OAuth but then I see a route with /users/openidconfirm which I find unnecesary.

I'll share you 2 links I found:

  1. OpenID vs. OAuth
  2. What's the difference between OpenID and OAuth?

Maybe you could improve your question/trouble so I could elaborate a better answser.

Hope this helps though.

Community
  • 1
  • 1
Cristian Douce
  • 3,148
  • 1
  • 16
  • 17
  • It's oauth. Pardon the misnamed route. Edited. – ZachB Jul 28 '13 at 05:21
  • Have you checked the links I provided in the answer? The method should be simpler. When the user confirms on Google to allow your application to login, you should be creating an account instantly... since you already have the users confirmation and data. I don't believe the `/oauth/confirm` redirect route is needed. I believe that's the common pattern. – Cristian Douce Jul 29 '13 at 19:03
  • The method is basically the same. I have a three-way switch in there (with the `/oauth/confirm` route you pointed out) that is a midpoint until a site admin approves a user. On a site like StackOverflow, it's just the "thanks for registering"-type page. Meanwhile, a green check for you. Thanks- – ZachB Jul 29 '13 at 22:56