Implementing passport-http-bearer token with sails.js Implementing passport-http-bearer token with sails.js express express

Implementing passport-http-bearer token with sails.js


node.js express sails.js passport.js http-token-authentication

We had to implement securing the Sails-based API with bearer tokens recently, and here's what we did (tested with 0.9.x):

1) Connect passport as a custom middleware in config/passport.js (or it can be config/express.js, depending on your taste):

/** * Passport configuration */var passport = require('passport');module.exports.express = {  customMiddleware: function(app)  {    app.use(passport.initialize());    app.use(passport.session());  }};

2) Secure necessary controllers/actions with a policy in config/policies.js:

module.exports.policies = {  // Default policy for all controllers and actions  '*': 'authenticated'};

3) Create the policy that checks the bearer in api/policies/authenticated.js:

/** * Allow any authenticated user. */var passport = require('passport');module.exports = function (req, res, done) {  passport.authenticate('bearer', {session: false}, function(err, user, info) {    if (err) return done(err);    if (user) return done();    return res.send(403, {message: "You are not permitted to perform this action."});  })(req, res);};

4) Define the bearer strategy for passport in services/passport.js (or wherever else you find it more appropriate for your specific application):

var passport = require('passport'),  BearerStrategy = require('passport-http-bearer').Strategy;/** * BearerStrategy * * This strategy is used to authenticate either users or clients based on an access token * (aka a bearer token).  If a user, they must have previously authorized a client * application, which is issued an access token to make requests on behalf of * the authorizing user. */passport.use('bearer', new BearerStrategy(  function(accessToken, done) {    Tokens.findOne({token: accessToken}, function(err, token) {      if (err) return done(err);      if (!token) return done(null, false);      if (token.userId != null) {        Users.find(token.userId, function(err, user) {          if (err) return done(err);          if (!user) return done(null, false);          // to keep this example simple, restricted scopes are not implemented,          // and this is just for illustrative purposes          var info = { scope: '*' }          done(null, user, info);        });      }      else {        //The request came from a client only since userId is null        //therefore the client is passed back instead of a user        Clients.find({clientId: token.clientId}, function(err, client) {          if (err) return done(err);          if (!client) return done(null, false);          // to keep this example simple, restricted scopes are not implemented,          // and this is just for illustrative purposes          var info = { scope: '*' }          done(null, client, info);        });      }    });  }));

This way you'll be able to access the API by having your bearer in the Authorization header: Bearer 8j4s36....

In this example a separate server was used to request/issue tokens, but you might as well do it within the same app (then you'll have to apply the policy to selected controllers only).

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last