search

hoangvvo / nextjs-mongodb-app

A Next.js and MongoDB web application, designed with simplicity for learning and real-world applicability in mind.
https://nextjs-mongodb.now.sh/
MIT License
1.52k stars 286 forks source link

Passport.js + Bearer Token authentication #33

Open MontoyaAndres opened 4 years ago

MontoyaAndres commented 4 years ago

Hey!

I'm curious if you can help making an example with Passport, maybe this can help you. It's an example from the Hasura community that uses passport for authentication, I don't know if is possible to pass it to serverless functions with Now.

What do you think?

Also, here's another person implementing Passport with Now. https://todayilearned.io/til/nextjs-with-passport-oauth-cookie-sessions

What I want is to include local authentication, and Google, Facebook, and Twitter authentication as well

JurajJakubov commented 4 years ago

I think it will be nice to upgrade this project to something like this https://github.com/sahat/hackathon-starter A lot of new developers like me need guidance like this.

hoangvvo commented 4 years ago

So sorry, I have been busy. This should be possible (even in serverless by the way we set the middleware up). Willget a PR in asap

hoangvvo commented 4 years ago

@MontoyaAndres @JurajJakubov #39 should do.

JurajJakubov commented 4 years ago

@hoangvvo Wow. Dreams come true. Thank you very much for this you have no idea how this can help people like me.

MontoyaAndres commented 4 years ago

Wow, thank you! I'm not in favor about sessions, I prefer to send the jwt token to the client, and the client will save it in a cookie, this is because I work with react native and the cookies do not exist here... Maybe create another branch or repository where you remove the sessions and use something like this: https://github.com/zeit/next.js/tree/canary/examples/with-cookie-auth next.js will care about saving the jwt to a cookie

hoangvvo commented 4 years ago

@MontoyaAndres I would not recommended letting the client save it in a cookie. Doing so will force us to turn off the cookie's HttpOnly flag, which will then make it vulnerable to XSS.

Still, if you want to proceed, I'm looking at passport-http-bearer or passport-jwt.

Keep in mind the limitation of JWT (cannot invalidate, size, "database-is-hit-anyway").

MontoyaAndres commented 4 years ago

Great, I think passport-http-bearer is a nice option for this, I hope you can integrate, and if I'm now wrong, in the first comment, I passed an example using it

IRediTOTO commented 4 years ago

I want this too, no time to think about this, but I think it can be done with middleware of hoangvvo

wortkotze commented 4 years ago

is there any update ? I'm adding to our PWA an react-native option and it would be really great if we could use everything also there but the actual version can not be used for react native