jaredhanson / passport-github

GitHub authentication strategy for Passport and Node.js.
https://www.passportjs.org/packages/passport-github/?utm_source=github&utm_medium=referral&utm_campaign=passport-github&utm_content=about
MIT License
537 stars 290 forks source link

Add support to white list GitHub accounts that belong to a particular organisation #50

Closed aruizca closed 9 years ago

jaredhanson commented 9 years ago

That would be authorization related, not authentication related, correct? I consider this out of scope of passport.

aruizca commented 9 years ago

I'd like to disallow authentication for GitHub users that are not public members of a particular organisation. So prior to perform authentication I'd check if the user belongs to that organization via API:

https://api.github.com/users/:username/orgs

The org name would be provided as an optional parameter:

new passportGithub({
      clientID: auth.github.clientId,
      clientSecret: auth.github.clientSecret,
      callbackURL: app.locals.baseUrl + '/auth/github/callback'
      organisation: 'whatever'
    }

I could provide PR

aruizca commented 9 years ago

The use case is the following: we have a WIKI engine called Jingo that we would like to use for our organisation. this WIKI has GitHub authentication and we would like to leverage that. This wiki is using this passport module. The problem is that anyone with a GitHub account would be able to edit the WIKI and we don't want that. Only public members of our GitHub organisation should be able to do that.

jaredhanson commented 9 years ago

Authorization can be done in separate middleware, after authentication.

app.get('/login/github/callback',
  passport.authenticate('github'),
  function authorizeOnlyWhitelistOrgs(req, res, next) {
     if (req.user.organization !== 'whatever') {
       return res.send('Unauthorized');
     }
     next();
  },
  ...
aruizca commented 9 years ago

I think you are right. That way the organization members can be public or private. Thanks heaps!