Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feathers-authentication branch 0.8 did not work with payload (tested on socket) #264

Closed
simonjoom opened this Issue Aug 10, 2016 · 1 comment

Comments

Projects
None yet
3 participants
@simonjoom
Copy link

simonjoom commented Aug 10, 2016

This post is a report of my work to allow persist login with token based check with branch 0.8 feathers-authentication

I made some research to get mostly same behavior than feathers-authentication stable release (last)
I found some problem in code of feathers-authentication

----------ISSUE-------------------

'jwt issuer invalid. expected: feathers'

I use REST and socket in server side:
.configure(rest())
.configure(socketio())

socket is used to register and to login,
rest make some test on token in browser refresh

I started my coding from standard example supplied (i kept configuration and middleware order in server side and client side)

The rest check the token issued by login and make some problem when pass
feathers-authentication:token Verifying token

  • my config feather.json is

"auth": {
"token": {
"secret": "monsecret"
},
"user": {
"idField": "uuid",
"endpoint": "/user"
}
}
my idfield is personnel and generate with uuid.v4
so i have _id and uuid in mongo-table

here different things to make it work

  • In src/services/local.js:
    tokenendpoint is not good
    tokenEndpoint: '/auth/local',
    change for
    tokenEndpoint: '/auth/token',

so need to add idField in services/token.js like it is in services/local.js

  • around line 196 set
    const { passwordField, idField} = authConfig.user;
    options = merge(defaults, authConfig.token, options, { passwordField, idField});

  • around line 130
    the last patch should to be omitted else options is not the same than before refresh -> and not good for keeping session logged

    // if (!data.iss) {
    options.issuer = issuer;
    // }
    // if (!data.sub) {
    options.subject = subject;
    // }
    // if (!data.exp) {
    options.expiresIn = expiresIn;
    // }
    //here it's my hack
    if (data.sub) {
    data={[this.options.idField]:data[this.options.idField]}
    }

if data.sub exist rewrite data without sub , exp properties ... (these are not here when not logged)

because data.sub not exist when user not logged (there is no jwt.verify pass before to create the payload)

from token jwt.verify put some properties in payload result (sub , exp ...) then
the payload (data) in jwt.sign are not the same than when i was not logged;;;
the result that after 2 refresh i have 'unauthorized' and i'm not anymore logged

  • I have a persistant login after the upper changes

Finally in debug i have something good
New JWT issued with payload +0ms { uuid: 'b68a370c-c180-41c8-b573-6de42a8dd723' }
For every refresh my token is different (is it important to change it ???)

after 30sec my login session not work (so it's fine because it's the configuration of 'feathers-jwt' token)

here my Client-side code a simple class to manage login authorization:
//part initialization:
feathers()
.configure(socketio(socket))
.configure(hooks())
.configure(authentication({storage:window.localStorage,cookies: {enable:true}}));
//

class login-auth:
init() {
// get token from localStorage
const token = (process.env.BROWSER)
? window.localStorage.getItem('feathers-jwt')
: null;
// auto-login with jwt
if (token)
this.jwtAuth();
}

@action
updateUser(data = {}) {
//make stuff with user
let av={email:data.email,username:data.username}
this.user = av || {};
}

jwtAuth() {
//auto login
return app()
.authenticate({})
.then((result) => this.updateUser(result.user))
.catch((err) => {
console.error('errorauth')
console.error(err)}
); // eslint-disable-line no-console
}
@action
login({ email, password }) {
return app()
.authenticate({ type: 'local', email, password})
.then((result) => this.updateUser(result.user));
}
@action
register({ email, password, username }) {
return service('user')
.create({ email, password, username });
}

//serverside
app.use(compress())
.configure(rest())
.configure(socketio())
.configure(hooks())
.use(bodyParser.json())
.use(bodyParser.urlencoded({extended: true}))
.configure(authentication({cookies: {enable:true}})).configure(token()).configure(local())
.configure(service) //i have user service connected with mongoose
.use('/', serveStatic(app.get('public')))
.configure(middleware);

hook:
import { hooks as auth } from 'feathers-authentication';
import { setUUID } from '../../hooks/setUUID';

/**
Hook: before
Service: user
*/
export default {
all: [],
find: [ ],
get: [
auth.verifyToken(),
auth.populateUser(),
auth.restrictToAuthenticated(),
auth.restrictToOwner(),
],
create: [
setUUID(),
auth.hashPassword(),
],
update: [
auth.verifyToken(),
auth.populateUser(),
auth.restrictToAuthenticated(),
auth.restrictToOwner(),
],
patch: [
auth.verifyToken(),
auth.populateUser(),
auth.restrictToAuthenticated(),
auth.restrictToOwner(),
],
remove: [
auth.verifyToken(),
auth.populateUser(),
auth.restrictToAuthenticated(),
auth.restrictToOwner(),
],
};

@marshallswain marshallswain added this to the 1.0 milestone Oct 25, 2016

@ekryski

This comment has been minimized.

Copy link
Member

ekryski commented Nov 21, 2016

This is no longer valid and we have tests in place for the new 1.0.0-beta version that is in master and slated for release that confirms this works.

@ekryski ekryski closed this Nov 21, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.