1.0 Pre-release #336

merged 95 commits into from Nov 16, 2016


None yet

3 participants

ekryski commented Oct 29, 2016 edited


This is a pretty big overhaul and now utilizes passport for the core authentication. This allows us to use any passport strategy from any location: hooks, express middleware, sockets. It also future proofs us so that all we need to do is adapt any other framework or transport to match the expected Passport request object.

Still to do:

  • Fix tests
  • Wrap up integration tests
  • Fix Auth Client to be consistent
  • Update docs
    • Highlight new features
    • Migration guide
    • Highlight data flow to create a JWT
    • Document public API/Options
    • Document basic usage
    • Document customizing JWT payload
    • Document verifying a JWT payload
    • Document not sending a JWT
    • Document refresh tokens
    • Document expected request object (writing a custom adapter)
  • Show examples. These likely should just be guides on Medium with gists

Stretch Goals

  • Add wrapper plugins for common authentication strategies that are are more feathers specific:

These should remove a bunch of the passport boilerplate around setting up middleware routes, looking up the user, verifying password, and populating the user. They should pull from the main app config object. This should make for an easier transition for people as they generally can just be a one liner. Example usage:

const auth = require('feathers-authentication');
const permissions = require('feathers-permissions');
const local = require('feathers-authentication-local');
const jwt = require('feathers-authentication-jwt');
const oauth2 = require('feathers-authentication-oauth2');
const FacebookStrategy = require('passport-facebook').Strategy;
const memory = require('feathers-memory');

  .configure(oauth2({ //can provide multiple Oauth2 strategies
    facebook: { // defaults to '/auth/facebook' and '/auth/facebook/callback'
      strategy: FacebookStrategy
      clientID: '',
      clientSecret: '',
      options: { // passport options

  .use('/users', memory());

  before: {
    all: [
    find: auth.hooks.authenticate('jwt'),
    get: auth.hooks.authenticate('jwt'),
    create: auth.hooks.hashPassword(),
    patch: auth.hooks.authenticate('jwt'),
    remove: auth.hooks.authenticate('jwt'),

Other Information

Related to feathersjs/feathers-authentication-client#7

ekryski and others added some commits Apr 14, 2016
@ekryski ekryski cleaning up dependencies f6d247b
@ekryski ekryski Merge branch 'master' into 0.8 14bb7b3
@ekryski ekryski merging in master 545929a
@ekryski ekryski removing auth redirects and exposing middleware e6d4a86
@ekryski ekryski expanding express middleware 521294a
@ekryski ekryski moving what I can in services to setup method da777d9
@ekryski ekryski updating dependencies 36876c8
@ekryski ekryski cleaning up middleware and adding debug logs b6732ee
@ekryski ekryski cleaning up services and adding debug logs c031ac1
@ekryski ekryski changing options for populate user hook to conform with other options 982ee1d
@ekryski ekryski cleaning up main index file ce3b534
@ekryski ekryski fixing lint errors a10f7a6
@ekryski ekryski getting example app working cfc09e0
@ekryski ekryski fixing options for populate user middlware a61df31
@ekryski ekryski fixing socket logout emitting f4018d2
@ekryski ekryski restructuring so you can set hooks to construct your token payload if…
… you want to customize it
@ekryski ekryski Default to a session cookie instead of 1 day 7dd6a56
@ekryski ekryski Switch to "user" instead of "data" for the response from auth 444eca4
@ekryski ekryski Make sure we clear the user out of locals so that you don't end up in…
… a weird state.
@ekryski ekryski Allow passing options when creating a JWT.
Used to customize the type of token we want to generate (ie. confirmation, password reset, etc.)
@ekryski ekryski setting version afe3ca2
@ekryski ekryski don't throw an error in the decode token middleware 4dff589
@ekryski ekryski bump version 6fafb6e
@ekryski ekryski clearing cookie if use not found. Setting cookie age to same as JWT ed19823
@ekryski ekryski bump version 859178b
@marshallswain @ekryski marshallswain Don’t mix options when signing tokens (#255)
Fixes #254.
@marshallswain @ekryski marshallswain Attempt to get token right away. (#252)
* Attempt to get token right away.

This makes it so that we don’t have to wait for an async response in order to start making authenticated requests.

* Also set up localStorage.
@ekryski ekryski fix restrict to owner hook methods. Closes #228 2c49e00
@ekryski ekryski bump version f6274fe
@ekryski ekryski cookies should get set regardless of whether it was an xhr request if…
… enabled
@ekryski ekryski bumping version 5184a4c
@ekryski ekryski adding migration guide 664959b
@ekryski ekryski reorganizing middleware, hooks and services e53fd33
@ekryski ekryski updaing mocha 429d190
@ekryski ekryski updating migration doc of things left to doc/complete 388439e
@ekryski ekryski fixing a bunch of the tests and adding tests for all new middleware c2e7b58
@ekryski ekryski cleaning up client side tests. Still failing c5017ab
@ekryski ekryski getting all tests passing eb6709e
@ekryski ekryski updating all middleware to not have default and pull from global config fc58e0a
@ekryski ekryski finished consolidating options 62eafcc
@ekryski ekryski bumping version e4281fd
@ekryski ekryski adding more details to migration guide eeb5fbf
@marshallswain marshallswain fix typo missing 'd' 93c6f28
@marshallswain marshallswain Fix typo and simplify wording. c2a44b6
@marshallswain marshallswain normalize the callbackURL
If the callbackURL doesn’t begin with a slash, the Passport `authenticate()` call will mess up the URL depending on the referrer’s url.  So if the page is `domain.com/auth/github`, the callback URL will become `domain.com/auth/auth/github`.  This normalizes the URL so that relative URLs always begin with a leading slash and absolute URLs don’t get touched.
@marshallswain marshallswain Make sure the provider plugin name doesn't overwrite the OAuth provid…
…er name
@marshallswain marshallswain consistency: `callbackUrl` should be `callbackURL`
@marshallswain marshallswain Normalize comparison URL & fix typo
This performs the same normalization to the comparison URL for the callback (as is done for the callbackURL).  Also fixes typo in callbackUrl, updates it to callbackURL.
@marshallswain marshallswain Always use service lookup.
Previously, we were setting up this._tokenService and this._userService in the `setup` function.  This was a problem because not all services are registered by the time `setup` runs.  In order to continue to allow the passing of either strings or an actual service object, this PR checks if we only have a string reference to the service stored.  If so, it uses the `app.service` method of service lookup before attempting to use the service.  This also fixes a problem that was occurring when trying to call this._userService or this._tokenService when this was undefined inside the middleware callbacks.
@marshallswain marshallswain DRY up the dynamic token and user service lookup.
This moves the dynamic service lookup to a function to be a bit more DRY.
@marshallswain marshallswain OAuth require successRedirect with default successHandler
If a successHandler hasn’t been passed, then the default `successHandler` will be used.  The `successRedirect` will now be required in that scenario.
@daffl @ekryski daffl First cut for authentication middleware (#305)
* First cut for authentication middleware

* Fix service methods

* Allow passing user service and service name
@daffl @marshallswain daffl First cut for authentication middleware (#305)
* First cut for authentication middleware

* Fix service methods

* Allow passing user service and service name
@marshallswain marshallswain Merge pull request #304 from feathersjs/0.8-oauth-fixes
0.8 - OAuth fixes
@marshallswain marshallswain Cookies will match jwt expiry by default. (#308)
* Cookies will match jwt expiry by default.

* Add missing makeExpiry function.
@marshallswain marshallswain Store config at `app.config` (#312)
* Store config at `app.config`

* Use app.set to store config.

* Add test.
@ekryski ekryski adding instanbul code coverage 1220895
@daffl daffl Remove permissions hooks and middleware which will be put into feathe…
…rs-permissions (#307)
@daffl daffl Started implementation of more modularized module structure 1a58d87
@daffl daffl Some reorganization 5cda433
@daffl daffl Implement Socket new authentication 081aec0
@daffl daffl More reorganization and start of integration tests c8efa77
@ekryski ekryski eslint fix 33b50f8
@daffl daffl More integration tests and cleanup 30f2db0
@ekryski ekryski pulling down changes and resolving conflicts bd2aa8b
@ekryski ekryski Merge branch 'modularization' of github.com:feathersjs/feathers-authe…
…ntication into modularization
@ekryski ekryski reogranizing
@daffl daffl Applying latest changes and merging with dev other branch 80e0d0a
@daffl daffl Socket.io authentication tests and login logout event 9297a9c
@daffl daffl Improving socket tests and adding Primus a120020
@daffl daffl Some cleanup 253277b
@daffl daffl Better error verification tests 5e5b6a1
@daffl daffl Implement login and logout events for REST authentication (#325) ebf603f
@daffl daffl Fix tests 6a2787c
@ekryski ekryski wip 8700d11
@ekryski ekryski first cut of auth working with passport. Clean up and tests to do 33e61b4
@ekryski ekryski fixing event middleware resolution 8668382
+- `auth.idField` has been removed. It is now included in all services so we can pull it internally without you needing to specify it.
+- `auth.shouldSetupSuccessRoute` has been removed. Success redirect middleware is registered automatically but only triggers if you explicitly set a redirect. [See redirecting]() for more details.
+- `auth.shouldSetupFailureRoute` has been removed. Failure redirect middleware is registered automatically but only triggers if you explicitly set a redirect. [See redirecting]() for more details.
+- `auth.tokenEndpoint` has been removed. There isn't a token service anymore.
marshallswain Nov 15, 2016 Member

We should add a note stating why there isn't a token service anymore. Something like "It has been replaced by custom routes with auth strategies."

ekryski Nov 15, 2016 Member

Sure thing. It sort of is still there though. Currently that's basically what the authentication service is. It generates and removes token.

+- `auth.shouldSetupFailureRoute` has been removed. Failure redirect middleware is registered automatically but only triggers if you explicitly set a redirect. [See redirecting]() for more details.
+- `auth.tokenEndpoint` has been removed. There isn't a token service anymore.
+- `auth.localEndpoint` has been removed. There isn't a local service anymore. It is a passport plugin and has turned into `feathers-authentication-local`.
+- `auth.userEndpoint` has been removed. It is now part of `feathers-authentication-local` and is `auth.local.service`.
marshallswain Nov 15, 2016 Member

and is --> as

ekryski commented Nov 15, 2016

Tests aren't passing because the plugins and auth are all dependent on each other and aren't published yet. Almost done wrapping up the integration tests and I will publish a pre-release of all of them and then get the client wrapped up.

ekryski added some commits Nov 16, 2016
@ekryski ekryski adding some more tests. Implementing chained strategies b18ba61
@ekryski ekryski cleaning up dependencies 578f807
@ekryski ekryski finishing integration tests and handling socket logout timeout fbd8e8e
@ekryski ekryski merging in master and resolving conflicts
@ekryski ekryski cleaning up example app ea45f06
@ekryski ekryski fixing up example c399925
@ekryski ekryski updating README
@ekryski ekryski updating API docs
@ekryski ekryski merged commit 97f8004 into master Nov 16, 2016

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
continuous-integration/travis-ci/push The Travis CI build passed
@ekryski ekryski deleted the 1.0 branch Nov 16, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment