passport.js local strategy- logging in with username, authenticate later requests with token

Question

passport.js local strategy- logging in with username, authenticate later requests with token

I'm having trouble with passport.js using the local strategy. I have 2 specific problems:

I am not getting persistent sessions to work with example code (see below) for the most basic case.
I want to go sessionless. For the most basic case, on login, I'll pass in a username + password that provides me with a session token, on regular requests I'll use this session token hashed with some other stuff to authenticate. Is this easily done with passport? It seems like passport doesn't offer much in this case and that cooking up my own solution is easier- just login/logout with standard checks, and then a middleware that unhashes request tokens to verify requests. Easy cheezy?

Problem 1:

Using the reference code from the library:

https://github.com/jaredhanson/passport-local/blob/master/examples/login/app.js

I do a series of commands to show logged out vs logged in:

A. check /account, not logged in

curl -v localhost:3000/account

As expected I get a redirect to /login

<p>Moved Temporarily. Redirecting to <a href="http://localhost:9292/login">http://localhost:3000/login</a></p>

B. login

curl -v -d "username=bob&password=secret" http://127.0.0.1:3000/login

Also as expected, I get a redirect to /

<p>Moved Temporarily. Redirecting to <a href="http://127.0.0.1:3000/">http://127.0.0.1:3000/</a></p>

C. check /account, logged in

curl -v localhost:3000/account

What the hell???

<p>Moved Temporarily. Redirecting to <a href="http://localhost:9292/login">http://localhost:3000/login</a></p>

node.js
passport.js

Answer 1

In the case of 1, session support requires cookies to be configured on your server side and used by your user agent. Typically this is a browser, which will will transmit the cookies in each request, and the server uses them to restore your login state.

However, the curl commands you are using won't transmit cookies, so each request looks "new" to the server, which is why you see the redirect to login each time. I suspect if you try the same requests in a browser, this will work as expected.

As for 2, I'd need a few more details to suggest a good solution. If you are using HTML and web browsers to access your site, you're going to end up needing something like sessions. You could transmit this info in query parameters each time, rather than cookies, but you'll end up rebuilding a lot of what Express/Connect provides out of the box.

In any case, if you choose to go down that route, Passport provides a clean interface to implement your own authentication strategies. You'll simply need to parse the request for the relevant credentials and look up a user in your database.

API clients are different, and I'd suggest taking a look at Passport's OAuth support, which provides easy ways to authenticate access tokens that are associated with a specific client.

Answer 2

The problem isn't with passport, the curl command needs to store the cookie, so -c and -b parameters should be used to mimic browser behaviour. From curl manpage:

curl -b cookies.txt -c cookies.txt www.example.com

What this command does, is to store cookies in cookies.txt and send cookies reading them from cookies.txt - This is the way curl mimics netscape cookie-jar file format to write and read from.

As for your question per-se, Jared has already answered it!