passport.js RESTful auth

by

There are many questions asked here, and it seems that even though the questions are asked in the context of Node and passport.js the real questions are more about workflow than how to do this with a particular technology.

Let’s use @Keith example setup, modified a bit for added security:

  • Web server at https://example.com serves a single page Javascript client app
  • RESTful web service at https://example.com/api provides server support to rich client app
  • Server implemented in Node and passport.js.
  • Server has a database (any kind) with a “users” table.
  • Username/password and Facebook Connect are offered as authentication options
  • Rich client makes REST requests into https://example.com/api
  • There may be other clients (phone apps, for example) that use the web service at https://example.com/api but do not know about the web server at https://example.com.

Note that I’m using secure HTTP. This is in my opinion a must for any service that is available in the open, since sensitive information like passwords and authorization tokens are passing between client and server.

Username/password authentication

Let’s look at how plain old authentication works first.

  • The user connects to https://example.com
  • The server serves a rich Javascript application which renders the initial page. Somehwere in the page there is a login form.
  • Many of the sections of this single page app haven’t been populated with data due to the user not being logged in. All these sections have an event listener on a “login” event. All this is client side stuff, the server does not know of these events.
  • User enters his/her login and password and hits the submit button, which triggers a Javascript handler to record the username and password in client side variables. Then this handler triggers the “login” event. Again, this is all client side action, credentials were not sent to the server yet.
  • The listeners of the “login” event are invoked. Each of these now needs to send one or more requests to the RESTful API at https://example.com/api to obtain the user specific data to render on the page. Every single request they send to the web service will include the username and password, possibly in the form of HTTP Basic authentication, since the service being RESTful isn’t allowed to maintain client state from one request to the next. Since the web service is on secure HTTP the password is safely encrypted during transit.
  • The web service at https://example.com/api receives a bunch of individual requests, each with authentication information. The username and password in each request is checked against the user database and if found correct the requested function executes and data is returned to the client in JSON format. If username and password do not match an error is sent to the client in the form of a 401 HTTP error code.
  • Instead of forcing clients to send username and password with every request you can have a “get_access_token” function in your RESTful service that takes the username and password and responds with a token, which is some sort of cryptographic hash that is unique and has some expiration date associated with it. These tokens are stored in the database with each user. Then the client sends the access token in subsequent requests. The access token will then be validated against the database instead of the username and password.
  • Non browser client applications like phone apps do the same as above, they ask user to enter his/her credentials, then send them (or an access token generated from them) with every request to the web service.

The important take away point from this example is that RESTful web services require authentication with every request.

An additional layer of security in this scenario would add client application authorization in addition to the user authentication. For example, if you have the web client, iOS and Android apps all using the web service you may want the server to know which of the three the client of a given request is, regardless of who the authenticated user is. This can enable your web service to restrict certain functions to specific clients. For this you could use API keys and secrets, see this answer for some ideas on that.

Facebook authentication

The workflow above does not work for Facebook connect because the login via Facebook has a third party, Facebook itself. The login procedure requires the user to be redirected to Facebook’s website where credentials are entered outside of our control.

So let’s see how things change:.

  • The user connects to https://example.com
  • The server serves a rich Javascript application which renders the initial page. Somehwere in the page there is a login form that includes a “Login with Facebook” button.
  • The user clicks the “Login with Facebook” button, which is just a link that redirects to (for example) https://example.com/auth/facebook.
  • The https://example.com/auth/facebook route is handled by passport.js (see the documentation)
  • All the user sees is that the page changes and now they are in a Facebook hosted page where they need to login and authorize our web application. This is completely outside of our control.
  • The user logs in to Facebook and gives permission to our application, so Facebook now redirects back to the callback URL that we configured in the passport.js setup, which following the example in the documentation is https://example.com/auth/facebook/callback
  • The passport.js handler for the https://example.com/auth/facebook/callback route will invoke the callback function that receives the Facebook access token and some user information from Facebook, including the user’s email address.
  • With the email we can locate the user in our database and store the Facebook access token with it.
  • The last thing you do in the Facebook callback is to redirect back to the rich client application, but this time we need to pass the username and the access token to the client so that it can use them. This can be done in a number of ways. For example, Javascript variables can be added to the page through a server-side template engine, or else a cookie can be returned with this information. (thanks to @RyanKimber for pointing out the security issues with passing this data in the URL, as I initially suggested).
  • So now we start the single page app one more time, but the client has the username and the access token.
  • The client application can trigger the “login” event immediately and let the different parts of the application request the information that they need from the web service.
  • All the requests sent to https://example.com/api will include the Facebook access token for authentication, or the application’s own access token generated from Facebook’s token via a “get_access_token” function in the REST API.
  • The non-browser apps have it a bit more difficult here, because OAuth requires a web browser for logging in. To login from a phone or desktop app you will need to start a browser to do the redirect to Facebook, and even worse, you need a way for the browser to pass the Facebook access token back to the application via some mechanism.

I hope this answers most of the questions. Of course you can replace Facebook with Twitter, Google, or any other OAuth based authentication service.

I’d be interested to know if someone has a simpler way to deal with this.

More Related Contents:

  1. Understanding passport serialize deserialize
  2. How to implement a secure REST API with node.js
  3. Redirecting to previous page after authentication in node.js using passport.js
  4. Using PassportJS, how does one pass additional form fields to the local authentication strategy?
  5. No ‘Access-Control-Allow-Origin’ – Node / Apache Port Issue
  6. mongoError: Topology was destroyed
  7. Allow CORS REST request to a Express/Node.js application on Heroku
  8. ERR_HTTP_HEADERS_SENT: Cannot set headers after they are sent to the client
  9. TypeError: db.collection is not a function
  10. passport’s req.isAuthenticated always returning false, even when I hardcode done(null, true)
  11. passport.js passport.initialize() middleware not in use
  12. Error: getaddrinfo ENOTFOUND in nodejs for get call
  13. ReferenceError: describe is not defined NodeJs
  14. Use multiple local strategies in PassportJS
  15. How to setup an authentication middleware in Express.js
  16. Node + Express + Passport: req.user Undefined
  17. Model.find().toArray() claiming to not have .toArray() method
  18. How to authenticate Supertest requests with Passport?
  19. How to know if user is logged in with passport.js?
  20. How is req.isAuthenticated() in Passport JS implemented? [closed]
  21. Proper request with async/await in Node.JS
  22. CORS-enabled server not denying requests
  23. npm ERR cb() never called
  24. Node – was compiled against a different Node.js version using NODE_MODULE_VERSION 51
  25. Socket.IO Authentication
  26. node.js – Is there any proper way to parse JSON with large numbers? (long, bigint, int64)
  27. Expressjs raw body
  28. how to use populate and aggregate in same statement?
  29. node –experimental-modules, requested module does not provide an export named
  30. How do I replace deprecated crypto.createCipher in Node.js?

Leave a Comment