Authentication Tutorial always returns 401 Unauthorized after implementing local strategy

[labcorp-clinical-development]

Bug Report

Current behavior

Work through the steps on the Authentication tutorial until you complete the "Login Route" step.

Input Code

https://docs.nestjs.com/techniques/authentication

Expected behavior

When POSTing valid user credentials to /auth/login, the user should be returned as part of the response.

I have verified that my user's credentials are correct and that my MongoDB query works as expected when executed against the collection of User objects.

However, a 401 unauthorized is always returned.

Possible Solution

Environment

Any

Nest version: X.Y.Z

 
For Tooling issues:
- Node version: XX  
- Platform:  

Others:

[labcorp-clinical-development]

Interestingly, if I supplied options to the AuthService to override Passport, it always returned a 401. Example:

@Injectable()
export class LocalStrategy extends PassportStrategy(Strategy) {

  constructor (
    private readonly authService: AuthService,
  ) {
    super({
      usernameField: 'email',
      passwordField: 'password',
    });
  }

If I remove these options, it works as expected.

[kamilmysliwiec]

cc @johnbiundo

[johnbiundo]

@labcorp-clinical-development Do you have a minimal reproduction of this issue?

[labcorp-clinical-development]

Hi @johnbiundo. I do in a private Gitlab repo. I'm fairly busy at the moment, but let me try to find some time this evening to get a publicly available repo to you.

I'm using MongoDB + Mongoose for database connectivity and "email" for the "username" field.

It seemed to be a combination of the method I was using to retrieve the user, and also changing the PassportStrategy. Given that removing the strategy makes the application work, the bug has to be related to my service method.

[johnbiundo]

@labcorp-clinical-development Sure thing. It would be great to reduce it to a minimal case. I would start by removing the dependency on MongoDB (e.g., hard code user info) to eliminate that variable and to make the repro test case simple to work with.

[leosuncin]

@johnbiundo a failing example is here https://github.com/leosuncin/nest-auth-example but only with node.js version greater than 13.0.0, in the previous versions works well

[kamilmysliwiec]

Let's track this here nestjs/nest#3631

[thierri]

The problem is the signature of validate method, on LocalStrategy class. Make sure it receives exactly username and password.

If you replace username with email or something else it will not overload the original PassportStrategy method, returning always Unauthorized, given no clue of the error.

async validate(username: string, password: string): Promise<any> { // Do any validation here. }

[jmcdo29]

The docs do say this:

We've also implemented the validate() method. For each strategy, Passport will call the verify function (implemented with the validate() method in @nestjs/passport) using an appropriate strategy-specific set of parameters. For the local-strategy, Passport expects a validate() method with the following signature: validate(username: string, password:string): any.

About three paragraphs above here