制作与passport.js和前press.js(node.js的)的安全API的OAuth [英] Make a secure oauth API with passport.js and express.js (node.js)
问题描述
我已经得到我觉得一个具体问题,除非我没有做的事情以正确的方式。
我有2个面,一个客户端(HTML的网站)的应用程序和API(与前preSS + mongodb的构建)。该API将需要被安全地访问。他们都在不同的领域,现在让我们说我的网站上domain.com和我的API是api.com:3000。
我已经添加护照因为我创造我的用户与他们的数据获得从GitHub访问令牌,这样我就可以有一个拍在与Github上基本上是这样。
我现在的流程是:
1)客户(网站),将打开一个弹出式的API
window.open(http://api.com:3000/oauth)
2)的前preSS服务器上,启动过程护照:
app.get('/ OAuth的',passport.authenticate('github上'),功能(REQ,RES){});
有关战略,我用这个code
3)我的回调重定向到关闭弹出一个网址(JavaScript的使用window.close()的):
app.get('/ OAuth的/回调',passport.authenticate('github上',{failureRedirect:'/'}),功能(REQ,RES){
res.redirect('/ auth_close');
});
在这一点上,一切都很好,我现在记录的API中。我的问题是如何将数据返回给客户端,客户端还不知道有关的accessToken,用户或用户ID任何东西。
所以,从客户端(即打开弹出的站点),我尝试了不同的方法:
-
在弹出得到一个值:不会,因为重定向的工作,我失去跟踪弹出的JavaScript的信息
-
打电话给我的API来获取会话中的当前用户,如 http://api.com:3000/current
还有一个要求,不是很理想,但是这一次的工作。不过,我仍然有一个问题。
本/当前网址传回用户,如果我从浏览器访问它,因为浏览器在头请求发送前preSS会话cookie:
<$p$p><$c$c>Cookie:connect.sid=s%3AmDrM5MRA34UuNZqiL%2BV7TMv6.Paw6O%2BtnxQRo0vYNKrher026CIAnNsHn4OJdptb8KqE问题是,我需要从jQuery的或类似的这一要求,而这也正是它失败,因为会话没有发送。因此用户不返回:
app.get('/电流',函数(){
//问题就在这里,req.user是未定义用,因为会话的Ajax调用!
});
我发现使它工作,但我不是很满意,因为我将不得不跨浏览器CORS问题,也加入到前preSS的一种方式:
res.header(访问控制允许的凭据,真);
和加入jQuery的AJAX调用withCredentials领域,因为这里解释。
字段名-fieldValue方法对的地图原生XHR对象上设置。例如,你可以使用它,如果需要withCredentials设置为true跨域请求。
$。阿贾克斯({
网址:a_cross_domain_url,
xhrFields:{
withCredentials:真
}
});
我也不满意这是我失去了我的头通配符:访问控制允许来源,我需要指定一个域,作为解释<一个href=\"https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=HTTP_access_control#Requests_with_credentials\">here.
所以,我不知道我应该采取这里的方法,我唯一需要的是客户越来越要么是的accessToken,或用户ID从护照OAuth的过程中回来了。该想法是使用在每次调用该令牌到API来验证呼叫。
任何线索?
我有同样的问题。我用的是本地策略的登录页面,然后检查是否用户是对其他请求的会话。
正如你所说,该解决方案是为了使用CORS用于在一个cookie的使用XMLHTT prequest传递会话ID。
而不是使用CORS这还没有在所有的工作browswers,我deceided在其他请求使用的访问令牌。我使用的工作流程如下:
POST /登录
- 的用户名和密码获得通过身体。
- 使用本地策略验证。
- 响应返回用户对象,包括的access_token
GET /端点/ ABC123?=的access_token ABCDEFG
- 标记与从登录响应获得
- 使用承载战略(以护照-HTTP-承载)认证
会话。
我希望这有助于替代
I've got I think a specific problem, unless I'm not doing things in the right way.
I've got an application with 2 sides, a client (html site), and an API (built with express + mongodb). The API will need to be securely accessed. They both are on different domains, for now let's say my site is on domain.com and my API is on api.com:3000.
I've added passport to get an access token from Github as I'm creating my users with their data, so I can have a "Sign in with Github" basically.
My current process is:
1) the client (the site), opens a popup on the API
window.open("http://api.com:3000/oauth")
2) The express server, start the passport process:
app.get('/oauth', passport.authenticate('github'), function(req, res) {
});
For the strategy, I used this code.
3) I redirect the callback to a url that closes the popup (javascript with a window.close()):
app.get('/oauth/callback', passport.authenticate('github', { failureRedirect: '/' }), function(req, res) {
res.redirect('/auth_close');
});
At that point, all is fine, I am now logged in the API. My problem is how to get data back to the client, as the client doesn't know anything yet about accessToken, user or user id.
So, from the client (the site that opens the popup), I tried different approaches:
getting a value from the popup: doesn't work because of the redirection, I lose track of the popup javascript information
calling my API to get the "current user" in session, such as http://api.com:3000/current One more request, not ideal, but this one work. However, I still have a problem.
This /current url is returning the user if I reach it from the browser, because the browser send in the header request the express session cookie:
Cookie:connect.sid=s%3AmDrM5MRA34UuNZqiL%2BV7TMv6.Paw6O%2BtnxQRo0vYNKrher026CIAnNsHn4OJdptb8KqE
The problem is that I need to make this request from jquery or similar, and that's where it fails because the session is not sent. So the user is not returned:
app.get('/current', function() {
// PROBLEM HERE, req.user is undefined with ajax calls because of the session!
});
I found a way of making it work but I'm not happy with because I'll have cross-browsers CORS problems, it is adding to express:
res.header("Access-Control-Allow-Credentials", "true");
And add the withCredentials field in a jquery ajax call, as explained here.
A map of fieldName-fieldValue pairs to set on the native XHR object. For example, you can use it to set withCredentials to true for cross-domain requests if needed.
$.ajax({
url: a_cross_domain_url,
xhrFields: {
withCredentials: true
}
});
I am also not happy with this as I'm losing the wildcard on my header: Access-Control-Allow-Origin, I need to specify a domain, as explained here.
So, I'm not sure the approach I should take here, the only thing I need is the client getting either an accessToken, or a userID back from the passport oauth process. The idea is using that token in each call to the API to validate the calls.
Any clue?
I had the same issue. I was using the Local Strategy on the login page, and then checking to see if the user was on the session on other requests.
As you say, the solution is to use CORS in order for the session ID to be passed in a cookie using XMLHTTPRequest.
Instead of using the CORS which does not yet work on all browswers, I deceided to use access tokens on other requests. The workflow I used is as follows:
POST /login
- Username and password get passed in the body.
- Authentication using Local Strategy.
- Response returns the user object, including the access_token
GET /endpoint/abc123?access_token=abcdefg
- Token obtained from the login response
- Authentication using Bearer Strategy (in passport-http-bearer)
Sessions are now not needed in Express.
I hope this alternative helps.
这篇关于制作与passport.js和前press.js(node.js的)的安全API的OAuth的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
