ciaranj / connect-auth Goto Github PK

I'm trying to use connect-auth for Facebook and Twitter auth:

.use(c_auth({strategies:[ c_auth.Twitter({consumerKey: keys.twitterConsumerKey, consumerSecret: keys.twitterConsumerSecret}),
    c_auth.Facebook({appId : keys.fbId, appSecret: keys.fbSecret, scope: "email", callback: keys.fbCallbackAddress})],
    trace: true,
    logoutHandler: require('../node_modules/connect-auth/lib/events').redirectOnLogout("/"),
    firstLoginHandler: firstLoginHandler
}))

The problem is, if user authenticates with one strategy (say, FB) and then tries to authenticate with another (Twitter) - connect-auth returns true for the second strategy even if user not even logged in into the service.

It doesn't matter which strategy is first, the second one always breaks after the first one.

I'm using the authentication middleware from one of your examples:

exports.auth_middleware= function auth_middleware(){
  return function(req, res, next) {
    var urlp= url.parse(req.url, true)
    if( urlp.query.login_with ) {
      req.authenticate([urlp.query.login_with], function(error, authenticated) {
        if( error ) {
          // Something has gone awry, behave as you wish.
          console.log( error );
          res.end();
        } else {
          if( authenticated === undefined ) {
            // The authentication strategy requires some more browser interaction, suggest you do nothing here!
          }
          else {
            // We've either failed to authenticate, or succeeded (req.isAuthenticated() will confirm, as will the value of the received argument)
            console.log('from auth:', req.isAuthenticated(), authenticated);
            next();
          }
      }});
    } else {
      next();
    }
  }
};

How do I fix this?

I'm getting this error a lot when oauth validation fails for one reason or another. I think it's due to an upgrade in Express. I can fix this myself, but wondering if anyone knows when/why it started happening, and how to fix it idiomatically wrt the rest of this package?

Will Google be added to the list anytime soon?
or has somebody got this working with Google authentication?

What do you think about these comments from:
http://stackoverflow.com/questions/3498005/user-authentication-libraries-for-node-js/4975745#4975745

"… [connect-auth breaks] the very powerful and easy to read onion-ring architecture of connect. A no-go - my opinion :). …
It must use next() because thats the idea behind connect. Connect has a layer-architecture / form of code structure. And every layer has the power to stop the request execution by not calling next(). If we are talking about authentication: An authentication layer will check if the user has the correct permissions. If everything is fine the layer calls next(). If not this auth-layer generates an error and will not call next()

"

Strong words and I am just really interested to find out if you had any defense/reason as to why this is the case, or plans to refactor?

Thanks heaps :D

Any plans to add openid support? I'll help if I can, but I'm busy for the next few weeks!

Hi

When I try to run node test_oauth_client.js, everyhting starts up fine.
$ node test_oauth_client.js

24 Oct 23:08:04 - oauth : { _requestUrl: 'http://localhost:3000/oauth/request_token'
, _accessUrl: 'http://localhost:3000/oauth/access_token'
, _consumerKey: 'JiYmll7CX3AXDgasnnIDeg'
, _consumerSecret: 'mWPBRK5kG2Tkthuf5zRV1jYWOEwnjI6xs3QVRqOOg'
, _version: '1.0A'
, _authorize_callback: 'http://localhost:3000/oauth/callback'
, _signatureMethod: 'HMAC-SHA1'
, nonceSize: 32
, headers:
{ Accept: '/'
, Connection: 'close'
, 'User-Agent': 'Node authentication'
}
}

But when I try to access it thro URL, it gives me this in the URL value
http://localhost:3000/oauth/authorize?oauth_token=undefined

And I see in my logs
{ lastAccess: 1287958084173
, oauth_token_secret: undefined
}

What am I missing here? I am trying to be an oauth provider for my site.

Thanks,
Sanjib

I'm getting this error a lot when oauth validation fails for one reason or another. I think it's due to an upgrade in Express. I can fix this myself, but wondering if anyone knows when/why it started happening, and how to fix it idiomatically wrt the rest of this package?

Twitter just changed the way they do permissions and in the app settings you have to specifically authorize access for "direct messages". Normally you don't have to change anything to your app's code, but there is an issue where the new DM permissions are not authorized when the old authorization URL is called: http://twitter.com/oauth/authenticate.

This gets fixed when the newer "http://twitter.com/oauth/authorize" is being called. I recommend we make this change to the twitter auth strategy too. (Line 65, auth.strategies/twitter.js)

I'm currently trying to get connect-auth to work together nicely with connect-mongodb to store the sessions. I'm working with a dual facebook/custom login system. Connect-auth works wonderfully for both when the sessions are stored in the default memory store.

However when I switch over to connect-mongodb as the session store the facebook auth strategy works fine however my custom form based strategy fails. Is there any known reason for this?

If the client sends:

Host: example.com:80

The signature will be incorrect on the server side.

It would be cool if there was a module like this for node, which makes using bcrypt really easy:

https://github.com/codahale/bcrypt-ruby

Developers* who use express would be very happy if this were built in somehow.

Cheers,
David

*me

Hi,

I've got issue with basic strategy. After req.logout() calling req.authenticate() automatically logs mi in (without prompting for password). This happens for me in my project and also in example connect-auth provides. I have node 0.4.11 and latest version of connect-auth.

I could get the facebook, yahoo and twitter auth stuff working but cant seem to get facebook working.

I get the following error

TypeError: Object [object Object] has no method 'getAuthorizeUrl'
at [object Object]. (/usr/local/lib/node/.npm/connect-auth/0.1.3/package/lib/auth.strategies/facebook.js:59:35)
at next (/usr/local/lib/node/.npm/connect-auth/0.1.3/package/lib/strategyExecutor.js:49:37)
at [object Object].authenticate (/usr/local/lib/node/.npm/connect-auth/0.1.3/package/lib/strategyExecutor.js:55:10)
at IncomingMessage.authenticate (/usr/local/lib/node/.npm/connect-auth/0.1.3/package/lib/auth.js:91:31)
at Object. (/home/sanjib/raptive/trunk/raptive/tests/unit/app.js:50:9)
at pass (/home/poushali/.node_libraries/connect/middleware/router.js:65:27)
at Object.router as handle
at next (/home/poushali/.node_libraries/connect/index.js:241:23)
at next (/home/poushali/.node_libraries/connect/index.js:188:17)
at pass (/home/poushali/.node_libraries/connect/middleware/router.js:78:17)

Did any of you find the same issue with facebook?

There is a problem when I'm using express and connect-auth and install both of them with ndistro. connect-auth overrides express' original link in the lib/node folder, so that express cannot be found anymore: http://img.ly/2rdH

"Express Facebook example (with additional cunning sign in page redirect logic)"

Needs ?method=facebook added to var fbCallbackAddress= "" comment.

Presently, it reads:
// this could point to your /signin page

Should read:
// this could point to your /signin?method=facebook page

In the signin route, it will always fail, because Facebook isn't returning the "method" URL variable.

Hi, the fallowing code doesnt work, (response from FB doesnt authenticate), when I go to localhost.com:3000 (I have it configured like this in my hosts file) and I get redirected to facebook asking for login, I enter my information and then it returns me to /auth/facebook but req.isAuthenticated() keep returning FALSE.

I do have the correct fbId and secret key. Inf fact its working with mongoose-auth but I really want to get connect-auth working for me.

Thank you in advance for any help!

var fbId= "xxxxxxxxxxxxx";
var fbSecret= "xxxxxxxxxxxxxx";
var fbCallbackAddress= "http://localhost.com:3000/auth/facebook"

var cookieSecret = "node";     // enter a random hash for security

var express= require('express');
var auth = require('connect-auth')
var app = express.createServer();


app.configure(function(){
    app.use(express.cookieParser());
    app.use(express.session({secret: cookieSecret}));
    app.use(auth([
        auth.Facebook({
            appId : fbId, 
            appSecret: fbSecret, 
            callback: fbCallbackAddress, 
            scope: 'email'
        })
    ]));
});


// Method to handle a sign-in with a specified method type, and a url to go back to ...
app.get('/', function(req,res, params) {

  req.authenticate(['facebook'], function(error, authenticated) { 
    
    console.log('STATUS: ' + authenticated);
        
    if (authenticated ) {
      console.log('AUTHENTICATED');
    }
    else {      
     console.log('NOT AUTHENTICATED');
    }
    
   });
});

app.get('/auth/facebook', function(req,res) {
    console.log(req.isAuthenticated());
});
app.listen(3000);

pls rename lib/auth.js to lib/index.js

I see that package.json specifies lib/auth.js as the main file but this breaks when using connect-auth without a package manager

Right now the code looks like this:

self.provider.previousRequestToken(requestParameters['oauth_consumer_key'], function(err, result) {

But previousRequestToken in the example provider looks like this:

OAuthDataProvider.prototype.previousRequestToken = function(token, callback) {
  for(var key in this.oauth_previous_users_request_tokens) {
    if( this.oauth_previous_users_request_tokens[key] && this.oauth_previous_users_request_tokens[key].token == token ) {
      callback(new Error("Previously used token"));
      return;
    }
  }  
  callback(null, token);
}

It's checking the value of token, which definitely is not the oauth_consumer_key, it's the oauth_token. The code on line 89 of _oauthservices.js needs to use oauth_token otherwise people could resubmit request tokens for access token generation.

using the example twitter app, and express 2.0.0 and connect-auth 0.2.2

var twitterConsumerKey= 'MYKEY';
var twitterConsumerSecret= 'MYSECRET';
var express= require('express');
var connect= require('connect');
var auth= require('connect-auth');
var app = express.createServer();
app.configure(function(){
app.use(connect.cookieParser());
app.use(connect.session({ secret: 'foobar' }));
app.use(auth( [
 auth.Twitter({consumerKey: twitterConsumerKey, consumerSecret:    twitterConsumerSecret})]) );
});
app.get('/', function(req, res){
    req.authenticate(['twitter'], function(error, authenticated) {
        res.send('Hello World: ' + JSON.stringify( req.session.auth.user ) );
    });
});
app.listen(8080);

I'm getting the following from node 0.4.2:

http.js:521
    throw new Error("Can't use mutable header APIs after sent.");
          ^
Error: Can't use mutable header APIs after sent.
    at ServerResponse.getHeader (http.js:521:11)
    at ServerResponse.header  /home/vince/.node_libraries/.npm/express/2.0.0/package/lib/response.js:226:17)
    at ServerResponse.send  (/home/vince/.node_libraries/.npm/express/2.0.0/package/lib/response.js:65:17)
    at /tmp/app2.js:16:9
    at /home/vince/.node_libraries/.npm/connect-auth/0.2.2/package/lib/index.js:95:41
    at next (/home/vince/.node_libraries/.npm/connect- auth/0.2.2/package/lib/strategyExecutor.js:45:39)
    at [object Object].pass (/home/vince/.node_libraries/.npm/connect-auth/0.2.2/package/lib/authExecutionScope.js:18:3)
    at [object Object].halt (/home/vince/.node_libraries/.npm/connect-auth/0.2.2/package/lib/authExecutionScope.js:15:8)
    at [object Object].redirect (/home/vince/.node_libraries/.npm/connect-auth/0.2.2/package/lib/authExecutionScope.js:23:8)
    at /home/vince/.node_libraries/.npm/connect-auth/0.2.2/package/lib/auth.strategies/twitter.js:65:16

Hi there,

I've got node v0.4.10 and npm 1.0.13 and I've got it installed thru npm - npm install -g connect-auth.
Got into /usr/local/lib/node_modules/connect-auth

When I try make I get:
connect-auth (master) $ make /bin/sh: ./support/expresso/bin/expresso: No such file or directory make: *** [test] Error 127

Turns out that npm doesn't install any support dir.
So I cloned it from git, but expresso is empty... as well as oauth.

Then I tried the example:
connect-auth (master) $ node examples/app.js Caught exception: Error: EACCES, Permission denied at HTTPServer._doListen (net.js:1100:5) at net.js:1071:14 at Object.lookup (dns.js:153:45) at HTTPServer.listen (net.js:1065:20) at Object.<anonymous> (/usr/local/lib/node_modules/connect-auth/examples/app.js:122:8) at Module._compile (module.js:402:26) at Object..js (module.js:408:10) at Module.load (module.js:334:31) at Function._load (module.js:293:12) at Array.<anonymous> (module.js:421:10)

Please, let me know what I can check, install do?
npm ls shows I've got all dependancies.

connect.router modifies req.url, so when the digest auth strategy does var href=req.url and then uses href in constructing HA2 it is using a different url path than the client used, resulting auth always failing.

this is particularly the case if you do server.use('/api', connect.router(routes)); and then attempt to use digest auth in the routes.

a solution would be to use the uri component of the authorization header, which reflects what the client used.

So, i get redirected to github which redirects back to my auth callback which redirects to the page the user wanted. yay. but then this page redirects back to gh =( i dont understand why that would happen. the same code runs on 0.2.5 / 0.2.6 without issue.

Hi. First, thanks for the module. I upgrade to node v0.4.2 and when I run the example I get an error that says :

node.js:116
throw e; // process.nextTick error, or 'error' event on first tick
^
Error: socket hang up
at Client. (http.js:1502:26)
at Client.emit (events.js:42:17)
at Array. (net.js:800:12)
at EvenEmitter._tickCallback (node.js:108:26)

It also happen in my app. Is there a solution?

the following code fails with Error: Can't set headers after they are sent.

app.get '/auth', (req, res) ->
  req.authenticate ['github'], (error, authenticated) ->
    if authenticated
      res.render 'auth/accepted', user: req.getAuthDetails().user
    else
      res.render 'auth/denied'

this is because the req.authenticate callback gets called even if connect-auth has already decided to do a redirect (and end()-ed the output stream). thus, the subsequent render in the callback causes issues

personally, i would not expect the callback to be called if connect-auth is doing a redirect

Hi,

How do you configure the callback url for twitter authentication when using connect-auth? For Facebook connect there is a parameter which you specify when creating the auth strategy object. However, I don't see anything similar for twitter authentication.

~ Baradas

Can you make this tiny change, so it would be possible to do:
require('support/connect-auth');

Thanks!

I could not find current License for this module anywhere?

is it MIT license like all other node modules seem to be?

Hey guys,

Is anyone working on Paypal authentication? Could be something I'm interested in doing too :)

Here are the links to the docs:
https://www.x.com/community/ppx/authentication
https://www.x.com/community/ppx/permissions

Cheers :)

Hi,
I've tried out your examples and Twitter works great! ( thank you for this )

However, Facebook example is not working,

I am receiving "undefined" for authenticated argument found at https://github.com/ciaranj/connect-auth/wiki/Express---Facebook-example-(with-additional-cunning-sign-in-page-redirect-logic)

I am using node.js 4.10 and Express.js 2.4.3

May I know if the example not working now? or am i missing something?

thanks and best regards.

The _oauthstrategies.js is a bit too strict.
requestToken method expects oauth_callback to be set and fails if it is not.
accessToken method expects oauth_verifier to be set and fails if it is not.
2-Legged OAuth and 3-Legged OAuth work if this requirement is removed.

I can't seem to get connect-auth to work at all. It just spits out an error saying, "Object # has no method 'authenticate'".

Using [email protected] and [email protected] from npm. Is there any known issues with those versions?

Here's the code;

express = require('express');
auth = require('connect-auth');
fb = require('./fb_creds.js');
app = express.createServer();

app.configure(function(){
    app.use(app.router);
    app.use(auth([
        auth.Facebook({
            appId : fb.id
            , appSecret: fb.secret
            , scope : 'email'
            , callback: fb.callback
        })
    ]));
});

app.get('*', function(req,res) {
    req.authenticate(['facebook'], function(error, authenticated) {
        console.log('It isn\'t even getting this far... :(');
    });
});

app.listen(8080);

connect-auth doesn't declare any dependencies (ie oauth, connect) in its package.json

it seems to work for me, but I'm not sure how... it doesn't work for my buddy (same version of node 0.4.7 and npm 1.0.6)

shouldn't the success method in authExecutionScope.js set the authenticated property to true?

AuthExecutionScope.prototype.success= function(user, callback) {
this.executionResult.user= user;
this.halt(callback);
};

How does one access the authenticated property?

Is it a good idea to add a simple plain text strategy? So all login method can use the same middleware. Or I have to use another auth module to login local users and mimic the interface of connect-auth.
SSL redirect option maybe needed for this strategy. :)

Thanks

Hi,
Is it currently possible to pass display parameters to the Facebook OAuth dialog using the current library?

Hi,
I've modified a little bit Express Facebook example to work with Google2, but it doesn't work and returns no error. To be precise, the code below returns: {"scopedUsers":{}} null

...
            express.cookieParser(),
            express.session({ secret: 'session secret' }),
            auth([
                auth.Google2({appId : "appId", appSecret: "appsecret", scope: "email", callback: "https://domain/users"})
            ]),
...
api.get('/users', function(req, res){
    req.authenticate([req.param('method')], function(error, authenticated) {
    if(authenticated) {
      res.end("<html><h1>Hello Google user:" + JSON.stringify( req.getAuthDetails() ) + ".</h1></html>")
    }
    else {
      res.end(JSON.stringify(req.getAuthDetails())+' '+JSON.stringify(error));
    }
   });
});
api.get('/somepage', function(req, res){
  var sign_in_link= "/users?method=google2&redirectUrl=" + escape(req.url);
  if( req.isAuthenticated() ) {
    res.end('<html><body><h1>Signed in with Google</h1></body></html>')
  }
  else {
    res.end('<html><body><a href="'+ sign_in_link + '">Sign in with Google</a></body></html>')
  }
});
...

I've also tried modifications from here: #70 but it doesn't work either.

I can authenticate resources within my app with FB/Twitter using Connect-Auth, but now how do I access my feeds post authentication ? Do i use the node-auth library separately to do this?

A couple of questions around this :

1. How do I get hold of the access tokens for twitter/FB post authentication?
2. When placing a normal http.request will the authenticated header get appended on to the request or do I need to use the node-auth api to place a request to fetch data? If so, where do I get a handle of the access tokens (see 1)?

Should the additions to the session be partitioned by some kind of service identifier? For instance, if I authenticate against both Twitter and Facebook, won't the user data in the session be overwritten?

commit 1e99df6 appears to have fixed the install error but unfortunately connect-auth hasn't published an updated package for npm to fetch. installing from source works, but npm could really use an updated version for general consumption.

% npm install connect-auth
npm info it worked if it ends with ok
npm info using [email protected]
npm WARN not supported on [email protected] connect-auth
npm WARN connect-auth supported engines: undefined
npm WARN not supported on [email protected] connect-auth
npm WARN connect-auth supported engines: undefined
npm WARN not supported on [email protected] connect-auth
npm WARN connect-auth supported engines: undefined
npm WARN not supported on [email protected] connect-auth
npm WARN connect-auth supported engines: undefined
npm WARN not supported on [email protected] connect-auth
npm WARN connect-auth supported engines: undefined
npm WARN not supported on [email protected] connect-auth
npm WARN connect-auth supported engines: undefined
npm WARN not supported on [email protected] connect-auth
npm WARN connect-auth supported engines: undefined
npm ERR! Error: [email protected] not compatible with your version of node
npm ERR! Requires: node@
npm ERR! You have: [email protected]
npm ERR! at /usr/local/Cellar/npm/0.2.3/libexec/lib/install.js:173:32
npm ERR! at c (/usr/local/Cellar/npm/0.2.3/libexec/lib/cache.js:47:12)
npm ERR! at /usr/local/Cellar/npm/0.2.3/libexec/lib/cache.js:54:5
npm ERR! at /usr/local/Cellar/npm/0.2.3/libexec/lib/utils/read-json.js:148:11
npm ERR! at /usr/local/Cellar/npm/0.2.3/libexec/lib/utils/read-json.js:58:32
npm ERR! at P (/usr/local/Cellar/npm/0.2.3/libexec/lib/utils/read-json.js:40:40)
npm ERR! at cb (/usr/local/Cellar/npm/0.2.3/libexec/lib/utils/graceful-fs.js:28:9)
npm ERR! at fs:84:13
npm ERR! at node.js:768:9
npm ERR! npm install
npm ERR! npm install
npm ERR! npm install
npm ERR! npm install
npm ERR! npm install @
npm ERR! npm install @
npm ERR! npm install @
npm ERR!
npm ERR! Can specify one or more: npm install ./foo.tgz bar@stable /some/folder
npm ERR! Installs '.' if no argument supplied
npm ERR! try running: 'npm help install'
npm ERR! Report this entire log at http://github.com/isaacs/npm/issues
npm ERR! or email it to [email protected]
npm not ok

It seems, that /auth/twitter_callback can't write headers because it depends on Connect.session(), which write headers itself.

Am i right?

I am getting this error trying to start up my server.js.

It seems like we need to declare connect as dependency in package.json so that npm can install connect-auth correctly

The example does not seem to be working.

res.send('Hello World: ' + JSON.stringify( req.session.auth.user ) );

This line returns a null session.

How can I retrieve the access token via the Facebook Strategy, is it not exposed somehow?

https://github.com/ciaranj/connect-auth/blob/master/lib/auth.strategies/http/http.js#L10 -> Http object
https://github.com/ciaranj/connect-auth/blob/master/lib/auth.strategies/http/basic.js#L10 -> Basic object
https://github.com/ciaranj/connect-auth/blob/master/lib/auth.strategies/http/base.js#L5 -> Base object

etc, etc, etc. Requiring this do awful mess in global object. Are these globals needed somewhere?

undefined isn't valid JSON and as such can't be stored in JSON compatible stores like MongoDB.

In addition, null is the appropriate value to be used when an attribute is valid, but explicitly not set to a usable value.

undefined means that it's never been set.

Hi, noticing some issues with the logging out example. After logging out, I still seem to be logged in. Steps to recreate:

goto /, see message 'unauthenticated'
goto /auth/basic, see login prompt, login, see authenticated message
goto /, see message 'authenticated'
goto /logout, get redirected to /, see unauthenticated message
goto /auth/basic, see authenticated message
goto /, see authenticated message

Robbie

When using Express, connect-auth only works by doing:

var app = express.createServer(
  ...
  auth( [
    auth.Twitter({consumerKey: TWITTER_CONSUMER_KEY, consumerSecret: TWITTER_CONSUMER_SECRET})        
  ])
);

But not when using the Express app.use thingies:

app.configure(function(){
  ...
  app.use(auth( [
    auth.Twitter({consumerKey: TWITTER_CONSUMER_KEY, consumerSecret: TWITTER_CONSUMER_SECRET})        
  ]))
});

I am unable to connect using facebook using the example in the wiki (it sends me through the facebook connect path but ends on "Facebook authentication failed :(").

I would log this as a bug, but after checking npm, it looks like it was last updated in march (almost 3 mths ago). Perhaps it is time to push an updated version out to npm (if things are mostly stable?) ?

Thanks,
Rob