Make passport.authenticate() callbacks more useful #423
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The `callback` argument is challenging to use because passport treats it as an
alternative to its default behavior for Strategy#succes, #fail and #error, but
the callback doesn't have access to the same middleware variables (req, res,
next, multi and failures) that passport does.
This is change moves all passport login logic into a function, and uses that
function as the default value of `callback`. The only API change is that the
signature of the `callback` function changes from:
function (err, user, info, status) {}
To
function (err, user, info, status, req, res, next) {}
This changes code that previously needed to do this:
```javascript
app.get('/protected', function(req, res, next) {
passport.authenticate('local', function(err, user, info) {
if (err) { return next(err) }
if (!user) { return res.redirect('/signin') }
res.redirect('/account');
})(req, res, next);
});
```
To be able to do this:
```javascript
app.get('/protected',
passport.authenticate('local',
function(err, user, info, status, req, res, next) {
if (err) { return next(err) }
if (!user) { return res.redirect('/signin') }
res.redirect('/account');
}
)
);
```
This has three main benefits:
* It avoids having to recreate the middleware function on every request
* It makes the syntax more readable to engineers new to JavaScript, Node or
passport
* It makes the strategy augmentation logic more understandable to strategy
developers
I feel this is valuable because the only reason you'd want to use the callback
argument instead of default passport handling is if your application was
delegating session management outside of Express (e.g. to another service), and
performance was a major consideration.
Given the existing workarounds for the issue, the change should also not have
any negative security implications.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
callbackargument is challenging to use because passport treats it as analternative to its default behavior for Strategy#succes, #fail and #error, but
the callback doesn't have access to the same middleware variables (req, res,
next, multi and failures) that passport does.
This is change moves all passport login logic into a function, and uses that
function as the default value of
callback. The only API change is that thesignature of the
callbackfunction changes from:To
This changes code that previously needed to do this:
To be able to do this:
This has three main benefits:
passport
developers
I feel this is valuable because the only reason you'd want to use the callback
argument instead of default passport handling is if your application was
delegating session management outside of Express (e.g. to another service), and
performance was a major consideration.
Given the existing workarounds for the issue, the change should also not have
any negative security implications.