How to test passport-local with postman

jaredhanson / passport-local

Username and password authentication strategy for Passport and Node.js.

https://www.passportjs.org/packages/passport-local/?utm_source=github&utm_medium=referral&utm_campaign=passport-local&utm_content=about

MIT License

2.73k stars 498 forks source link

How to test passport-local with postman #93

Open cloudlena opened 9 years ago

cloudlena commented 9 years ago

Hi all

I've tried to test a route protected with passport-local using Postman. Hitting the route from my browser when logged in I get a 200 but when I try the same with postman using the Basic Auth helper or inputting my credentials (email and password) using the header fields or body I always get a 401. Can you tell me how I have to send my credentials to passport-local from Postman so that I get a 200?

Many thanks, Toby

dustinboston commented 9 years ago

:+1: This is a great question. I'd also like to know the answer.

dustinboston commented 9 years ago

@mastertinner

Try making a POST request to /auth/local. Set the data type to x-www-form-urlencoded. POST the user name and password. The response should include the token.

Next, try making a GET request to /api/users/me (or your protected route), by adding the Authorization header with the value Bearer <token>, where <token> is the value from the first request.

That is maybe working for me, but I'd like somebody else to validate it.

Here's a Postman collection that you can import and try. Don't forget to update the token (marked INSERT_TOKEN_HERE).

GochoMugo commented 9 years ago

@dustinboston making the POST request with Content-type set to x-www-form-urlencoded does succeed.

But where does the <token> come from?

artforlife commented 8 years ago

I am having the same issue. Is there anything else that can be tried? When I try to get the token, I simply get a full HTML of my login page.

jer0dh commented 8 years ago

When I POST the user name and password using passport, it sets up a session which uses cookies. If you use postman to test, you can see the cookie by installing a separate add-on called the Interceptor. This allows you to see the cookie. Some postman docs indicate you can 'manage cookies' from postman, but I just go to my chrome and go to chrome://settings/cookies. If I remove the cookie I can see in the postman, my next request to my server will report that I am no longer logged in.

mayognaise commented 8 years ago

Here is some example according to @dustinboston's awesome answer. (Based on this example app)

First you login with POST request:

Once login is succeeded, you will get _id as token

Then you can do whatever with the token: