OAuth2 with nodejs api and standard javascript app

Question

I'm trying to create an sort of plugin that users can simply add to a website and it will make COR calls to my app and return JSON that will be handled by the client side javascript.

This is working how I want it to, but now I'm trying to make sure that the user logs into my app before being allowed to receive any JSON from my server side app.

From here on I'll refer to my Node.js API as Server and the straight JS plugin as Client

I found a npm plugin for node that handles OAuth2 on the Server, but I'm not sure I'm really understanding how to use it. Here's the link and I found this for taking care of it on the Client side.

Client -> App initializer:

define [
  'oauth2'
], (oauth2) ->
  App =
    Models: {}
    Collections: {}
    Views: {}

    initialize: () ->
      $.get "/javascripts/mu-config.json", (config) =>
        @api_url = config.api
        @site = config.site
        @credentials = config.credentials
        @make_oauth_call()


    make_oauth_call: ->
      @xhr = new oauth2.OAuth2XMLHttpRequest
        authorizeEndpoint: "#{this.api_url}/callback"
        tokenEndpoint: "#{this.api_url}/oauth/access_token"
        clientID: this.credentials.clientID
        clientSecret: this.credentials.clientSecret
        localStoragePrefix: "oauth2.#{this.site.name}"
        requestAuthorization: (callback) ->
          console.log 'what?'
          console.log callback


    @xhr.onreadystatechange =  () ->
      console.log "do something"


    @xhr.open "GET", "#{this.api_url}/notes?site=1&user=1"
    @xhr.setRequestHeader 'Content-type', 'application/x-www-form-urlencoded'
    @xhr.send "site=1&user=1"

So what works here? Well the @xhr.open ... does in fact grab JSON from the Server, but that's about it. I'm not getting any errors from the Client, but the console.log 'what?' does not fire and I don't believe anything is getting authenticated.

Server -> oauth.coffee

  token = null
  credentials =
    clientID: "sparkmasterflex"
    clientSecret: "bob_the_builder"
    site: 'http://marking_up.dev'

  OAuth2 = require('simple-oauth2') credentials


  authorization_uri = OAuth2.AuthCode.authorizeURL
    redirect_uri: 'http://localhost:3000/callback'
    scope: 'sites'
    state: '55fce6241c8e6432e8dfee583141aa58'

  res.redirect(authorization_uri)

  OAuth2.AuthCode.getToken
    code: "something here"
    redirect_uri: "http://localhost:3000/callback"
  , saveToken

  saveToken = (error, result) ->
    console.log('Access Token Error', error.message) if error
    token = OAuth2.AccessToken.create(result)

  module.exports = OAuth2

Server -> router

express = require("express")
db = require "../database"
oauth2 = require "../oauth"

router = express.Router()

# GET home page.
router.get "/", (req, res) ->
  res.render 'index',
    title: "Hello world"

# Initial page redirecting to Github
router.get '/auth', (req, res) ->
  res.redirect authorization_uri


# Callback service parsing the authorization token and asking for the access token
# router.get '/callback', (req, res) ->
router.route('/callback')
  .get (req, res) ->
    code = req.query.code
    console.log '/callback'
    oauth2.AuthCode.getToken
      code: code
      redirect_uri: 'http://localhost:3000/callback'
    , saveToken

    saveToken = (error, result) ->
      console.log('Access Token Error', error.message) if error
      token = oauth2.AccessToken.create(result)

module.exports = router

Running the node server I get this error:

/Users/raymondke99/Sites/marking_up_api/oauth.js:19

res.redirect(authorization_uri);
^

ReferenceError: res is not defined
   at Object.<anonymous> (/Users/raymondke99/Sites/marking_up_api/oauth.js:19:1)
   at Module._compile (module.js:456:26)
   at Object.Module._extensions..js (module.js:474:10)
   at Module.load (module.js:356:32)
   at Function.Module._load (module.js:312:12)
   at Module.require (module.js:364:17)
   at require (module.js:380:17)
   at Object.<anonymous> (/Users/raymondke99/Sites/marking_up_api/routes/index.js:7:10)
   at Module._compile (module.js:456:26)
   at Object.Module._extensions..js (module.js:474:10)

I'm kinda at a loss here. The documentation for both of these seem pretty thorough but I still feel like I'm missing a huge chunk of information. Can anyone help and/or lead me to help?

Thank you

EDIT

I removed res.redirect() from oauth.coffee and I get the following error:

/Users/raymondke99/Sites/marking_up_api/node_modules/simple-oauth2/lib/core.js:16

  throw new Error('Callback not provided on API call');

    ^

Error: Callback not provided on API call
  at Object.api (/Users/raymondke99/Sites/marking_up_api/node_modules/simple-oauth2/lib/core.js:16:13)
  at Object.getToken (/Users/raymondke99/Sites/marking_up_api/node_modules/simple-oauth2/lib/client/auth-code.js:34:8)
  at Object.<anonymous> (/Users/raymondke99/Sites/marking_up_api/oauth.js:19:17)
  at Module._compile (module.js:456:26)
  at Object.Module._extensions..js (module.js:474:10)
  at Module.load (module.js:356:32)
  at Function.Module._load (module.js:312:12)
  at Module.require (module.js:364:17)
  at require (module.js:380:17)
  at Object.<anonymous> (/Users/raymondke99/Sites/marking_up_api/routes/index.js:7:10)

I have more than one router because I'm using expressjs and I'm not sure where I'm supposed to have the 'catch-all' redirect. Does it need to go into every router?

Answer 1

Why do you have "res.redirect(authorization_uri)" in the oath file? You seem to already have the GET endpoint in your router?