0

I'm protecting an API in my web app using passport. Before hitting the resource, I want the user(from oauth client) to login/authorize first.

Have tried both LocalStrategy and BasicStrategy - their implementation are almost 100% the same, just look for a user by email and verify password. If I use BasicStrategy, the browser will bring up a dailog saying 'Authentication Required' and ask for username & password. However if I use LocalStrategy, it just says 'Unauthorized', and no chance to login.

So my questions are:

  1. How does browser decide to bring up the login dialog, or is it done by BasicStrategy?

  2. Is it possible to show a login page with some UI, instead of the simple dialog?

Note that it's part of OAuth process so I don't really want to redirect to the login page.

Rupali Pemare
  • 540
  • 1
  • 9
  • 24
Stanley Luo
  • 3,689
  • 5
  • 34
  • 64

2 Answers2

1

Passport is used only for authentication. Later after one needs to maintain session , to check if user is logged in or not.

So you can make a middleware call before every route. Middlleware checking if user is logged in or not .

'use strict';
 var express = require('express');

 module.exports = {
    isLoginCheck : function (request, response, next) {
      if(!request.session.user && request.path != '/login'){
         response.redirect('/login');
      }else{
         next();
      }
 },

};

In routes file import the middleware,

var express = require('express'),
indexController = require('./../controller/index'),
middleware = require('./../middleware/index'),
passport = require('passport'),
router =  express.Router();

router.get('/addUser', indexController.addUser);
router.post('/saveUser', indexController.saveUser);
router.use(middleware.isLoginCheck);
router.get('/', indexController.index);
router.get('/login', indexController.login);
router.post('/login', function(request, response, next){
passport.authenticate('local', function(err, user, info) {
    if (err) {
        return next(err);
    }
    if (!user) {
        var message = "Invalid credentials";
        return response.render('login',{message: info.message, userLoggedIn : null});
    }
    request.logIn(user, function(err) {
        if (err) { return next(err); }
        request.session.user = request.user;
        response.redirect('/userList');
    });
})(request, response, next);

});

Note : in the success we are saving the verified user in session , which will persist till the server is running. Middleware above we are checking for the session object.

Rupali Pemare
  • 540
  • 1
  • 9
  • 24
0

Turned out the Authentication dialog is the sequela of response header:

The browser detects that the response to my call on the XMLHttpRequest object is a 401 and the response includes WWW-Authenticate headers. It then pops up an authentication dialog asking, again, for the username and password.

Here's a very helpful post.

As for the standalone signin page, because it's part of OAuth process, it's better to use express's redirect.

Stanley Luo
  • 3,689
  • 5
  • 34
  • 64