Make a secure oauth API with passport.js and express.js (node.js)

I had the same issue. I was using the Local Strategy on the login page, and then checking to see if the user was on the session on other requests.

As you say, the solution is to use CORS in order for the session ID to be passed in a cookie using XMLHTTPRequest.

Instead of using the CORS which does not yet work on all browswers, I deceided to use access tokens on other requests. The workflow I used is as follows:

POST /login

• Username and password get passed in the body.
• Authentication using Local Strategy.
• Response returns the user object, including the access_token

GET /endpoint/abc123?access_token=abcdefg

• Token obtained from the login response
• Authentication using Bearer Strategy (in passport-http-bearer)

Sessions are now not needed in Express.

I hope this alternative helps.

Before configuring anything in express app, use the following(exactly the same) to set header of response for cross-domain :

app.use(function(req, res, next) {res.header('Access-Control-Allow-Credentials', true);res.header('Access-Control-Allow-Origin', req.headers.origin);res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');res.header('Access-Control-Allow-Headers', 'X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept');if ('OPTIONS' == req.method) {     res.send(200); } else {     next(); }});