search

oauthjs / express-oauth-server

Complete, compliant and well tested module for implementing an OAuth2 Server/Provider with express in node.js
MIT License
484 stars 384 forks source link

`/login` and `.token()` usage #79

Open wallzero opened 6 years ago

wallzero commented 6 years ago

Greetings,

Excellent work on this project! With the lastest oauth2-server I have a working client and password model. I am able to generate and verify user, client, and token credentials.

My last step is creating a login page and redirect flow. I am attempting to use express-oauth-server. Now, the example given contains a TODO::

// Post login.
app.post('/login', function(req, res) {
  // @TODO: Insert your own login mechanism.
  if (req.body.email !== 'thom@nightworld.com') {
    return render('login', {
      redirect: req.body.redirect,
      client_id: req.body.client_id,
      redirect_uri: req.body.redirect_uri
    });
  }

  // Successful logins should send the user back to /oauth/authorize.
  var path = req.body.redirect || '/home';

  return res.redirect(util.format('/%s?client_id=%s&redirect_uri=%s', path, req.query.client_id, req.query.redirect_uri));
});

This example seems to expect the express middleware to verify the credentials? Following other users examples, I am instead verifying user/client credentials in the model (getClient, getUser); not express middleware.

So alternatively I am trying to use the provided token() method. For example:

import {Express} from 'express';
import settings from '../settings';
import {expressOAuthServer} from './auth';

export default function (app: Express) {
  app.post(
    '/login',
    (request, _response, next) => {
      request.body.client_id = '';
      request.body.client_secret = '';
      request.body.redirect_uri = '';
      request.body.grant_type = '';
      request.body.scope = '';

      next();
    },
    expressOAuthServer.token()
  );
}

Authentication works, and a token is generated. After using token(), though, I am given token in a response body but without a redirect. How exactly is the client supposed to get the token? Here it seems to redirect if the response contains a 302; but if I set a 302 in my response, new Response(res) seems to reset it back to a 200. .token() also doesn't redirect back to /login on a failed attempt.

So instead I am using expressOAuthServer.server.token(req, res).then((val) => {/* handle token */});, which is more manual. It seems wrong. I feel like I am missing something obvious in how I am using express-oauth-server and am hoping someone can give me a couple working examples. Thanks!

jhunexjun commented 1 year ago

Is this fixed already? I am using password grant. We have the same issues and actually encountered different issues but this is just one. To all the issues I encountered, I dealt it by making sure that all methods return should match the object structure the OAuth2.0 server is expecting in the model. Like:

function getRefreshToken(bearerToken) {
// more codes here
   return {
           refreshToken: result[0].refresh_token,
           refreshTokenExpiresAt: result[0].expires_at,
           // scope: result[0].scope,  // optional.
           client: { id: result[0].client_id }, // with 'id' property
           user: { id: result[0].user_id },
         };

You can add more as the docs says but the minimum should be met.

Also you do not have to modify anything in the response cause express-oauth-server will take care of it. router.post('/', app.oauth2.token()); is just enough.

By the way I'm using express-oauth-server version ^2.0.0.