Improve Passport support for API servers (i.e. avoid unnecessary [client-side] request redirections)

almeidap commented 9 years ago

I have been reviewing authentication & authorizations solutions for my AngularJS application, which talks to the server through a REST API. I found two interesting candidates:

Passport has a great design and really clean API, nice work! Unfortunately, it does not provide a good user experience as it relies on client-side redirection for performing authentication with external providers.
Sattelizer for AngularJS provides a good user experience on the client but it requires you to write everything about token exchange, user data extraction and API request authorization on the server (see: https://github.com/sahat/satellizer/blob/master/examples/server/node/server.js#L454).

Why not use the best of both worlds, Satellizer for client-side authentication and Passport for backend token exchange and API requests authorization? Because Passport needs to be decoupled from any unnecessary client redirection.

I believe that the effort to refactor Passport and keep backwards compatibility would be minimal. Decoupling Passport from the client would allow nice integration with 3rd-party libraries (see an example below) as requested by some other users (https://github.com/jaredhanson/passport/issues/334, https://github.com/jaredhanson/passport/issues/318, https://github.com/jaredhanson/passport/issues/336, ...).

Satellizer and Passport integration?

After digging into the source source, I found that passport-oauth2 expects auth code to be present as a query param in the callback URL (https://github.com/jaredhanson/passport-oauth2/blob/master/lib/strategy.js#L140):

if (req.query && req.query.code) { ... }

Satellizer can call the same callback URL but uses POST and body data (https://github.com/sahat/satellizer/blob/master/satellizer.js#L494), which imho is a clean way to delegate access token retrieval by the server.

It would be awesome if this access token exchange logic could be extracted as another Passport middleware, i.e.:

app.post('/auth/facebook/callback', passport.exchange(
    'facebook',
    { session: false },
    function(req, res, err, accessToken, profile, info) {
        ...
    }
));

passport.exchange(...) would be responsible to retrieving the auth code from request (using query params or body data), exchange it for an access token and fetch user profile data.