Skip to content
Node.js module with CAS strategy for Passport.
JavaScript Shell
Branch: master
Clone or download
Pull request Compare This branch is even with KTH:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore
.travis.yml
LICENSE
README.md
build.sh
cas-gateway-strategy.js
cas-pgt-strategy.js
index.js
npm.conf
package-lock.json
package.json
routeHandlers.js

README.md

kth-node-passport-cas

Cas authentication strategy for Passport based but modified from github.com/sadne/passport-cas.

Migrating from <= 2.x to 3.x

We are now whitelisting the redirect url (nextUrl param) to only allow relative paths actually owned by the application. When upgrading you need to provide these in the initialising of this package.

Add proxyPrefixPath to route handler-init (normally in server.js):

require('kth-node-passport-cas').routeHandlers({
  casLoginUri: config.proxyPrefixPath.uri + '/login',
  casGatewayUri: config.proxyPrefixPath.uri + '/loginGateway',
  proxyPrefixPath: config.proxyPrefixPath.uri, // <-------------- here
  server: server
})

Also add proxyPrefixPath to redirect (normally in authentication.js):

require('kth-node-passport-cas').routeHandlers.getRedirectAuthenticatedUser({
  ldapConfig: config.ldap,
  ldapClient: ldapClient,
  proxyPrefixPath: config.proxyPrefixPath.uri, // <-------------- here
  unpackLdapUser: function (ldapUser, pgtIou) {
    return {
      username: ldapUser.ugUsername,
      displayName: ldapUser.displayName,
      email: ldapUser.mail,
      pgtIou: pgtIou,
      // This is where you can set custom roles
      isAdmin: hasGroup(config.auth.adminGroup, ldapUser),
      isSupport: hasGroup(config.auth.supportGroup, ldapUser),
      isSchema: hasGroup(config.auth.schemaGroup, ldapUser)
    }
  }
})

API

Strategy

Passport style authentication strategy implemented for login through KTH CAS.

Usage:

const passport = require('passport')
const Strategy = require('kth-node-passport-cas').Strategy
const log = require('kth-node-log')


const casOptions = {
  ssoBaseURL: 'https://url.to/cas',
  serverBaseURL: 'http://url.to.me:port',
  log: log
}

const strategy = new Strategy(casOptions,
  function (logOnResult, done) {
    return done(null, logOnResult.user, logOnResult)
  }
)

passport.use(strategy)

GatewayStrategy

Passport style authentication strategy implemented to check if user is logged in through KTH CAS.

const passport = require('passport')
const GatewayStrategy = require('kth-node-passport-cas').GatewayStrategy
const log = require('kth-node-log')

passport.use(new GatewayStrategy({
  casUrl: 'https://url.to/cas'
}, function (result, done) {
  done(null, result.user, result)
}))

getProxyTicket

Get a proxy ticket from CAS-service. Returns a promise.

Call signature:

const getProxyTicket = require('kth-node-passport-cas').getProxyTicket

getProxyTicket (casService, pgtId, targetService)
  .then((ticket) => {
    // do something...
  })
  .catch((err) => {
    // do something...
  })

Express Route Handlers

Express route handlers used for KTH CAS authentication.

const ldapConfig = { ... } // Object structure can be found in kth-node-configuration
const COOKIE_TIMEOUT = 5 // in seconds. The cookie timeout determines how long a user is considered "anonymous"

const ldap = require('kth-node-ldap')
const ldapClient =  ldap.createClient({
  url: ldapConfig.uri,
  timeout: ldapConfig.timeout,
  connectTimeout: ldapConfig.connecttimeout,
  maxConnections: ldapConfig.maxconnections,
  bindDN: ldapConfig.username,
  bindCredentials: ldapConfig.password,
  checkInterval: ldapConfig.checkinterval,
  maxIdleTime: ldapConfig.maxidletime,
  reconnect: true
})

const server = require('kth-node-server')
const passport = require('passport')

// Don't forget to register the strategies here (Strategy and GatewayStrategy shown above)

server.use(passport.initialize())
server.use(passport.session())

const { authLoginHandler, authCheckHandler, logoutHandler, pgtCallbackHandler, serverLogin, getServerGatewayLogin } = require('kth-node-passport-cas').routeHandlers({
  adminGroup: 'group_name', // LDAP admin group for this app
  casLoginUri: '/app/mountpoint/login',
  casGatewayUri: '/app/mountpoint/loginGateway',
  cookieTimeout: COOKIE_TIMEOUT,
  ldapConfig: ldapConfig,
  ldapClient: ldapClient,
  server: server
})
appRoute.get('cas.login', '/app/mountpoint/login', authLoginHandler)
appRoute.get('cas.gateway', '/app/mountpoint/loginGateway', authCheckHandler)
appRoute.get('cas.logout', '/app/mountpoint/logout', logoutHandler)
// Optional pgtCallback
appRoute.get('cas.pgtCallback', '/app/mountpoint/pgtCallback', pgtCallbackHandler)

// Make sure user is logged in and send to login page if not
server.get('/app/mountpoint', serverLogin, function (req, res) { ... })

// Make sure user is logged in and fail request if not
server.get('/app/mountpoint/gateway', getServerGatewayLogin('/'), function (req, res) { ... })
You can’t perform that action at this time.