Require Authentication for directory (except one page) with Passport.js / Node.js?

Question

Require Authentication for directory (except one page) with Passport.js / Node.js?

I'm new to using Passport.js, but I find it's going pretty well so far. I'm using Passport with passport-local.

However, I want to require authentication for an entire directory excluding one page. So in my node server I'm serving up this direcory like so (using express):

app.use("/admin", express.static(__dirname + "/admin"));

And then I want to let the user hit /admin/login.html, so I wanted to do something like this:

app.get('/gb-admin/login.html', function(req, res){ });

Then I want to require authentication for the rest, so something like this:

app.get('/gb-admin/*', ensureAuthenticated, function(req, res){});

Here is my ensureAuthenticated function, for reference if it helps:

function ensureAuthenticated(req, res, next) {
  if (req.isAuthenticated()) { return next(); }
  res.redirect('/gb-admin/login.html')
}

How would I go about doing this? I've been generally sending things in infinite loops and causing the browser to timeout. Can anyone help?

javascript
jquery
node.js
authentication
passport.js

Answer 1

I wonder if it is your callback. Try:

app.get('/gb-admin/*', function (req, res, next) {
  ensureAuthentication(req, res, next) {
    if (req.isAuthenticated()) { return next(); }
    res.redirect('/gb-admin/login.html')
  });
});

Answer 2

The reason you're getting timeouts is because you can't have an empty route handler; at one point, you have to either return a response, or hand the request over the the next route handler/middleware.

That said, try this:

function ensureAuthenticated(req, res, next) {
  if (req.path === '/gb-admin/login.html' || req.isAuthenticated()) {
    return next();
  }
  res.redirect('/gb-admin/login.html')
}

app.get('/gb-admin/*', ensureAuthenticated, function(req, res, next) {
  next();
});

// the static middleware needs to be declared after the route above, otherwise
// it will take precedence and ensureAuthenticated will never be called.
app.use("/gb-admin", express.static(__dirname + "/admin"));

I don't think there's a way to get it working with a separate route for the login page (unless you actually implement reading login.html and sending it back from without that routes handler), hence the check for it in the ensureAuthenticated middleware.