The local authentication does not call defaultCallback of passport

[AhtiAhde]

I have struggled to find out how I can make the 3rd party authentication and local authentication to write accessToken and userId cookies (and do everything else) similarly.

It seems, that you have a bug here:
loopback-example-passport/server/views/pages/local.jade

Instead of posting the /auth/local/callback, as it should, it posts to /auth/local instead. This causes a simple login, without creating accessTokens, while the 3rd party logins will always create accessTokens. There might be some use cases, where not creating accessTokens for local users, but creating them for 3rd party users is how you want the system to behave.

I would recommend, that you would fix this so, that in this particular example, all the authentication schemes would create accessTokens as that seems to be what people are expecting to happen, so:

In providers.json we need:

  "local": {
    "provider": "local",
    "module": "passport-local",
    "usernameField": "username",
    "passwordField": "password",
    "authPath": "/auth/local",
    "callbackHTTPMethod": "post",
    "successRedirect": "/auth/account",
    "failureRedirect": "/local",
    "failureFlash": true,
    "setAccessToken": true
  },

The important things here are, "callHTTPMethod": "post" and "setAccessToken": true.

And in /server/views/pages/local.jade, change:

-      form(role='form', action='/auth/local', method='post')
+      form(role='form', action='/auth/local/callback', method='post')

All this complexity is caused by HTTP standards; while 3rd Parties can pass "code" as query parameter when redirecting, doing so with user credentials after POSTing to "/auth/local" would cause two problems:

1. Passing credentials in query params would be safe withing HTTPS, but would cause your log files to become huge security risk.
2. HTTP Redirects 301 Moved Permanently and 302 Found do not allow passing HTTP body as they only support GET requests. There is HTTP 307 Temporary Redirect in HTTP 1.1, which would allow rePOSTing to another location, but some browsers MAY implement it in such way, that the user must be prompted, thus this HTTP code is not supported by many frameworks for redirections, Express JS included. So, there would not be a good way to pass credentials from "/auth/local" to "auth/local/callback".

As far as I know, the route POST "/auth/local" does nothing important, which would not be done by "/auth/local/callback", the solution I suggest, actually solves the problem without side effects, as far as I am aware of.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale]

This issue has been closed due to continued inactivity. Thank you for your understanding. If you believe this to be in error, please contact one of the code owners, listed in the CODEOWNERS file at the top-level of this repository.