Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is there a way to use passport login together with client-side login? #26

Closed
maciejjankowski opened this issue Feb 4, 2013 · 11 comments
Closed

Comments

@maciejjankowski
Copy link

@maciejjankowski maciejjankowski commented Feb 4, 2013

Say I want to login from client side JavaScript and have passport enforce that authentication. Should I somehow pass signedrequest or accesstoken to passport?

@chaolam

This comment has been minimized.

Copy link

@chaolam chaolam commented Feb 26, 2013

+1 encountering the same issue too

@pavelnikolov

This comment has been minimized.

Copy link

@pavelnikolov pavelnikolov commented Apr 15, 2013

+1

@markwillis82

This comment has been minimized.

Copy link

@markwillis82 markwillis82 commented Apr 17, 2013

+1 on this too

@pavelnikolov

This comment has been minimized.

Copy link

@pavelnikolov pavelnikolov commented Apr 17, 2013

I have a single page application. It does not use cookies. Instead I use access_token with the requests that need authentication. This access_token is alpha-numeric string long 40 chars and valid only for 1 hour. In order to use Facebook auth I need to click a "login with facebook" button which leads to http://api.mydomain.com/auht/facebook. Then when the facebook callback is called my API generates a token and needs to send this token to the client somehow.
Right now I'm redirecting to the client to a parametrized URL like this one /#/auth/:token so that the client can get the token and from that point on make authentic requests to the API server. I don't like this solution. My app is still in development mode and I would like to release it in production with a better way of giving the token to the client.

-Pavel

@ptz0n

This comment has been minimized.

Copy link

@ptz0n ptz0n commented Jun 18, 2013

@pavelnikolov Your solution works but, as you mention, is kind of a hack.

After digging into this strategy I took a step back and realised that it's a pure OAuth 2.0 wrapper. Aside from the Facebook JavaScript SDK client-side authentication.

Using the Facebook client-side accessToken (short lived) it's not possible to login the user (via XHR) without the redirect that OAuth 2.0 enforces. I've implemented this in a project simply by using the req.login method after verifying the token and fetching user data from Facebook.

Conclution: Client-side authentication via the Facebook JavaScript SDK is not a natural feature of this strategy and should be defined as a separate Passport strategy.

@pavelnikolov

This comment has been minimized.

Copy link

@pavelnikolov pavelnikolov commented Jun 18, 2013

Thank you for your reply - I knew there should be a better way. I haven't used that so far. Can you point me to a link to some documentation or examples?

@ptz0n

This comment has been minimized.

Copy link

@ptz0n ptz0n commented Jun 18, 2013

@pavelnikolov Using Express, Mongoose and FBgraph, this is a simplified example of a POST controller:

graph.setAccessToken(req.body.accessToken);
graph.get('me?fields=id,email,name', function(err, data) {
    if(err) return res.json(400, err);

    User.findOne({'facebook.id': data.id}, function(err, user) {
        if(err) return res.json(400, err);

        if(!user) {
            // First login, create user object..

            // Then login the user
            req.login(user, function(err) {
                if(err) return res.json(400, err);
                res.json(user);
            });
        }
        else {
            // User found, update user object..

            // Then login the user
            req.login(user, function(err) {
                if(err) return res.json(400, err);
                res.json(user);
            });
        }
    });
});
@pavelnikolov

This comment has been minimized.

Copy link

@pavelnikolov pavelnikolov commented Jun 18, 2013

Thank you. I will try this for sure.

@jaredhanson

This comment has been minimized.

Copy link
Owner

@jaredhanson jaredhanson commented Aug 15, 2013

See passport-facebook-token, which implements this as a Passport strategy.

@etler

This comment has been minimized.

Copy link

@etler etler commented Feb 1, 2014

The solutions here look good for facebook token authentication, but is there one for google? Google also provides a client side API method for getting an access token:

https://developers.google.com/+/web/signin/javascript-flow

@ptz0n

This comment has been minimized.

Copy link

@ptz0n ptz0n commented Feb 2, 2014

@etler Sure, using the same approach would work fine. See https://developers.google.com/+/web/signin/client-to-server-flow

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
7 participants
You can’t perform that action at this time.