search

jaredhanson / passport-local

Username and password authentication strategy for Passport and Node.js.
https://www.passportjs.org/packages/passport-local/?utm_source=github&utm_medium=referral&utm_campaign=passport-local&utm_content=about
MIT License
2.74k stars 498 forks source link

Authentications by API Rest not working #110

Closed poliveira89 closed 9 years ago

poliveira89 commented 9 years ago

Disclaimer: I developing a distributed system with IAM delivered by API where the authentication part is developed around passport-local and other providers.

So while using Express 4.x and Routers for a modular structure, at some moment I have a file where I declare a new Router and Initialize the Strategy and mix them to deliver my service, like this:

var strategy = new LocalStrategy({
        passReqToCallback: true,
        session: false
    },
    function(request, username, password, done) {
        User.findOne({ username: username }, function(err, user) {
            /* verify if user exists */
            /* verify if is valid */

            return done(null, user);
    });
});

/* ... */

passport.use(strategy);
router.post('/login', passport.authenticate('local'), handler.login);

So, supposedly, after I try to reach /login the server will handle the password.authenticate('local') and if successful it would execute handler.login. Which is not!

After executing successfully password.authenticate('local') I receive HTTP 500 without body (NOTE: every 500 I delivered contain additional data/context). And I know that does not reach handler.login because the first thing that should be executed it was a console.log('breakpoint') and that is never printed.

So why passport its delivering this "empty" response?

poliveira89 commented 9 years ago

After some time debugging, found out this message on the response:

Error: Failed to serialize user into session

As I understand this is for the "session" handling, If I have disabled why this happens? Should I still [de-]serialize the user object? Why?

poliveira89 commented 9 years ago

I fixed by shift session: false from Strategy constructor to authenticate argument, like this:

router.post('/login', passport.authenticate('local', { session: false }), handler.login);

And then started to read data from the original request by pop information on request.user passed on handler.login.

And I'm not sure, if I'm doing it right, but I will only pass passport.authenticate(...) for /login for every provider than I make available per express router.

And every other single resource will contain a "middleware" to check if contains the Token delivered by HTTP Header. PS: Token it's created on handler.login.