I’m having trouble with passport.js using the local strategy. I have 2 specific problems:
- I am not getting persistent sessions to work with example code (see
below) for the most basic case. - I want to go sessionless. For the
most basic case, on login, I’ll pass in a username + password that
provides me with a session token, on regular requests I’ll use this
session token hashed with some other stuff to authenticate. Is this
easily done with passport? It seems like passport doesn’t offer much in this case and that cooking up my own solution is easier- just login/logout with standard checks, and then a middleware that unhashes request tokens to verify requests. Easy cheezy?
Problem 1:
Using the reference code from the library:
https://github.com/jaredhanson/passport-local/blob/master/examples/login/app.js
I do a series of commands to show logged out vs logged in:
A. check /account, not logged in
curl -v localhost:3000/account
As expected I get a redirect to /login
<p>Moved Temporarily. Redirecting to <a href="http://localhost:9292/login">http://localhost:3000/login</a></p>
B. login
curl -v -d "username=bob&password=secret" http://127.0.0.1:3000/login
Also as expected, I get a redirect to /
<p>Moved Temporarily. Redirecting to <a href="http://127.0.0.1:3000/">http://127.0.0.1:3000/</a></p>
C. check /account, logged in
curl -v localhost:3000/account
What the hell???
<p>Moved Temporarily. Redirecting to <a href="http://localhost:9292/login">http://localhost:3000/login</a></p>
In the case of 1, session support requires cookies to be configured on your server side and used by your user agent. Typically this is a browser, which will will transmit the cookies in each request, and the server uses them to restore your login state.
However, the curl commands you are using won’t transmit cookies, so each request looks “new” to the server, which is why you see the redirect to login each time. I suspect if you try the same requests in a browser, this will work as expected.
As for 2, I’d need a few more details to suggest a good solution. If you are using HTML and web browsers to access your site, you’re going to end up needing something like sessions. You could transmit this info in query parameters each time, rather than cookies, but you’ll end up rebuilding a lot of what Express/Connect provides out of the box.
In any case, if you choose to go down that route, Passport provides a clean interface to implement your own authentication strategies. You’ll simply need to parse the request for the relevant credentials and look up a user in your database.
API clients are different, and I’d suggest taking a look at Passport’s OAuth support, which provides easy ways to authenticate access tokens that are associated with a specific client.