senecajs / seneca-auth Goto Github PK

https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L176

pass in other objects as parameters

https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L194

s/trigger/hook/ as per https://github.com/rjrodger/seneca-transport/blob/master/transport.js#L91

provide aliases for old pattern

There is a branch to be merged:
https://github.com/senecajs/seneca-auth/tree/0.5.0
This branch has also tests.

An old fork with fixes, needed to check if anything useful:
https://github.com/floridemai/seneca-auth/commits/master

A recent fork with linting and Lab, some of it can be reused:
https://github.com/mihaidma/seneca-auth

https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L216

in general avoid callbacks unless there is async work

Examples do not work out-of-box.

Either build fails due to ursa v0.8.0 dependency (which cannot be built)

Previous versions fail too.
Seneca-auth 0.4.0 has google-auth embedded (i.e. not yet separate plugin)

That is why with older versions of seneca-auth,
seneca-google-auth plugins fails because cannot find "register_service" command

Add support for token based Auth

At the moment seneca-auth supports only a cookie(session) based authentication scheme. In order to support API-Only servers for native mobile apps (which is a common use-case in the Hapi world), seneca-auth should ideally support at least one additional token based scheme.

This can be implemented Using Hapi's chained strategies like so:

server.auth.strategy('session', 'cookie', token_auth_opts)
server.auth.strategy('token', 'bearer-access-token', cookie_auth_opts)
server.auth.default({
    strategies: ['token','session']
})

In the above chained case, Hapi would first look for the specified token in the header, and if not found would then look for a cookie. The seneca login token can be used as the bearer token and as normal for session management.

Setting chained strategies as default would mean that endpoints that must not be restricted such as /auth/login should have auth set to false on the route options.

If we do want to take this forward, I've taken a brief look at the necessary changes - it looks like in addition to the small changes to seneca-auth, I believe we would need the following minor changes:

1) minor changes to auth-token-cookie to add and register the chained strategy.

2) One liner change to seneca-web (line 452)

add the || part to pass auth=false to the route config - like so:

if ((routespecs.auth && routespecs.auth !== 'none') || (routespecs.auth===false)) {
  hapi_route.config.auth = routespecs.auth

    console.log('modified seneca-web...:',hapi_route)
  internals.server.route( hapi_route )
  done()
}

3) One liner change to seneca-local-auth (hapi-local-auth.js line 23)

add auth:false to avoid the default chained strategy from applying to the login route like so:

map: {
  login: {GET: true, POST: true, data: true,auth:false, alias: options.urlpath.login}
}

If we do want to take this fwd and you are ok with the changes in principle, I'm happy to make the proposed changes and submit relevant PRs.

Tested with user-accounts example.

After logging in, 'seneca-login' cookie is created and /auth/instance returns:

{
  "user": {
    "nick": "u1",
    "email": "[email protected]",
    "name": "nu1",
    "when": "2013-08-28T10:36:48.615Z",
    "id": "d66znz",
    "accounts": [
      "kge3gz"
    ],
    "entity$": {
      "base": "sys",
      "name": "user"
    }
  },
  "login": {
    "0": "r",
    "1": "o",
    "2": "l",
    "3": "e",
    "4": ",",
    "5": "c",
    "6": "m",
    "7": "d",
    "entity$": "-/sys/login",
    "role": "user",
    "cmd": "login",
    "nick": "u1",
    "email": "u1",
    "password": "u1",
    "user": "d66znz",
    "when": "2013-08-28T10:41:54.003Z",
    "active": true,
    "why": "password",
    "token": "b778b2ae-d717-4ca7-a5ac-53e00a3d493d",
    "id": "b778b2ae-d717-4ca7-a5ac-53e00a3d493d"
  }
}

After logging out, the cookie still exists, /account is still accessible and /auth/instance returns:

{
  "user": {
    "nick": "u1",
    "email": "[email protected]",
    "name": "nu1",
    "when": "2013-08-28T10:36:48.615Z",
    "id": "d66znz",
    "accounts": [
      "kge3gz"
    ],
    "entity$": {
      "base": "sys",
      "name": "user"
    }
  },
  "login": {
    "0": "r",
    "1": "o",
    "2": "l",
    "3": "e",
    "4": ",",
    "5": "c",
    "6": "m",
    "7": "d",
    "entity$": "-/sys/login",
    "role": "user",
    "cmd": "login",
    "nick": "u1",
    "email": "u1",
    "password": "u1",
    "user": "d66znz",
    "when": "2013-08-28T10:41:54.003Z",
    "active": false,
    "why": "password",
    "token": "b778b2ae-d717-4ca7-a5ac-53e00a3d493d",
    "id": "b778b2ae-d717-4ca7-a5ac-53e00a3d493d",
    "ended": 1377686639718
  }
}

only call seneca.act within init action (seneca.add("init:auth", ...))

https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L183

Hi, i am trying to make latest version of seneca-auth working with seneca-google-auth.

Sofar i get the following error
No matching action pattern found for { role: 'user', get: 'user', google_id: '3495723894534' }

But i could not find such action in seneca-user plugin.

Any hints where to look for it?

this is more secure

https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L127

you can say: seneca.add( "role:user,cmd:register", user_data )
as a convenience - the first argument properties will take precedence

because: https://github.com/rjrodger/seneca/blob/master/seneca.js#L1942

Currently, 0.2.14 is on npm, but the current master is 0.4.0. Does that need to be updated?

https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L9

please do not make these plugins - they are simple utilities
please change them to be plain node modules
please also change the names - the seneca- prefix is special and denotes a plugin

also note that seneca plugins are not normally used in this manner; they are not normally required directly into a plugin - seneca plugins should normally be added from the top level only via seneca.use

@geek Updated to Chairo 2.0, now none of my auth stuff is working, detail below,

Message: seneca: Action role:web failed: Unknown authentication strategy session in /auth/logout.

Code: act_execute

Details: { id: 'u80225qqhsi5/bmob22drdesd',
 gate: false,
 ungate: true,
 desc: undefined,
 cb: [Function: noop],
 fn: { [Function: web_use] validate: { use: {}, config: {}, plugin: {} } },
 time: { start: 1454783485508 },
 'orig$': [Error: Unknown authentication strategy session in /auth/logout],
 'message$': 'Unknown authentication strategy session in /auth/logout',
 message: 'Unknown authentication strategy session in /auth/logout',

If I remove the auth stuff chairo works ask expected so I think the issue is either in seneca-web or the auth related plugins. @mirceaalexandru as has a number of branches outstanding for seneca-auth-*.

Some combination of branches has worked but now I can't be sure. Can we get some eyes on this as priority? This is my script,

'use strict'

module.exports = (opts, server, done) => {
  var seneca = server.seneca
    //.use('user') // Note: swap this out for local concorda
    //.use('auth', {restrict: '/api'})
    .use('stats', {collector: true})
    .use('toolbag-stats')
    .use('influx-stats-store', {influx: {host: '192.168.99.100'}})

  seneca.act({
    role: 'user',
    cmd: 'register',
    name: opts.admin.name,
    email: opts.admin.email,
    password: opts.admin.password
  })

  seneca.ready(() => {
    seneca.log.info('hapi', server.info.port)
    server.start(done)
  })
}

Note: By commenting out the lines above chairo works but now I am missing my auth. Also I'm not using Concorda in this instance, it's just auth, user, and local login.

Implement error handling:

https://github.com/senecajs/seneca-auth/blob/master/auth.js#L594
https://github.com/senecajs/seneca-auth/blob/master/auth.js#L700

styling within a module needs to be consistent
( you are free to use your own style in your own modules - e.g. urlmatcher)

https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L127
please use spaces as follows: if( ... ) {

I was trying to run the examples of the different authentications strategies and both the github and the facebook ones gave the following error (I will post the facebook one, the one from the github example is identical but with github as service name):

Message: seneca: No matching action pattern found for { role: 'auth', cmd: 'register_service', service: 'facebook', plugin: { name: 'facebook', _verify: [Function], _oauth2: { _clientId: '359534030912271', _clientSecret: 'MYCLIENTSECRET', _baseSite: '', _authorizeUrl: 'https://www.facebook.com/dialog/oauth', _accessTokenUrl: 'https://graph.facebook.com/oauth/access_token', _accessTokenName: 'access_token', _authMethod: 'Bearer', _customHeaders: {}, _useAuthorizationHeaderForGET: false }, _callbackURL: 'http://localhost:3000/auth/facebook/callback', _scope: undefined, _scopeSeparator: ',', _state: undefined, _key: 'oauth2:www.facebook.com', _trustProxy: undefined, _passReqToCallback: undefined, _skipUserProfile: false, _clientSecret: 'MYCLIENTSECRET', _enableProof: undefined, _profileURL: 'https://graph.facebook.com/me', _profileFields: null }, conf: { appId: '359534030912271', appSecret: 'MYCLIENTSECRET', urlhost: 'http://localhost:3000' } }, and no default result provided (using a default$ property).
Thank you, Agustin.

create an examples folder showing some of the use-cases
place each one is a separate sub-folder
e.g.

examples/simple - plain local username/password
examples/twitter - local + twitter
examples/multiple - local + twitter + facebook + linkedin
examples/ldap = uses ldap for user passwords
etc

seneca-auth currently only returns a 401 for restricted requests that have a 'content-type' header which starts with 'application/json;'

I'd like to get a 401 response from GET requests sent by angular's $http service, but these don't include a content-type header (and it seems that the convention is to not include this header with GET requests in general).

Headers can be manually specified for requests:

$http.get('url', {headers: 'content-type': 'application/json'})

but angular actually strips out the content-type header if no data is included with the request see line 6633 😧.

As a workaround, I'm using the longhand syntax for GET requests and including an empty data parameter:

$http({method: 'GET', url: 'url', data: '', headers: {'content-type': 'application/json'}})

or to achieve the same thing for all GET requests:

app.config(function ($httpProvider) {
  $httpProvider.defaults.headers.get = $httpProvider.defaults.headers.get || {};
  $httpProvider.defaults.headers.get['content-type'] = 'application/json';
});

https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L124

we're changing the conventional name for the input object to msg from args, to more closely align with microservices terminology

please change args to msg throughout the plugin

(zeno is new seneca kernel for seneca 0.7)

https://github.com/senecajs/zeno/blob/master/package.json#L6

https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L263

another naming convention change to microservices terminology

please use respond instead of done or cb
https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L168

use done instead of cd for all normal callbacks

https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L16

this is not a module require - it is loading data, so needs to be separate and clearly commented

https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L32

http://c2.com/cgi/wiki?DontRepeatYourself

Email addresses are not case sensitive but in seneca-auth, when they are used for registration/login they are treated as if they were. This is a problem because users might forget whether they used an uppercase or not. Same point could be made when using nicknames.

Would anyone oppose a refactor to rely on code expects rather than assert in all the tests?

(I volounter for the change an dPR)

Passing an array as the value for the restrict parameter doesn't overwrite the initial value set in auth.js.

can you use this to create ab automated test with a running server
see seneca-web for example of doing this

Reset token should not be part of an not-restricted HTTP response.

The reset token should be sent on e-mail to the recipient for example, using custom client implementation that is not part of this module feature.

So create_reset_token will be able to create the token using seneca-user but not send it in the response.

@rjrodger , @geek , @mihaidma - opinions about this?

facebook callback url times out

Hi,
I am trying to get the redirects working in Hapi but it seemed to return me the callback rather than the http redirect and the URL is showing localhost:10000/auth/login

{"http$":{"status":301,"redirect":"/"}}

options.js

module.exports = { 
      secure: true,
      restrict: '/api',
      server: 'hapi',
      strategies: [
        {
          provider: 'local'
        }
      ],
    redirect:{
      always: true,
      win:'/',
      fail:'/',
      restrict:'/',

      login:         {win:'/',fail:'/#',},
      logout:        {win:'/login',fail:'/#',},
      register:      {win:'/login',fail:'/#',},
      reset_create:  {win:'/',fail:'/',},
      reset_load:    {win:'/',fail:'/',},
      reset_execute: {win:'/',fail:'/',},
      confirm:       {win:'/',fail:'/',},
    }
}

Am I doing it wrongly? I supposed it should be the similar approach with using Express but it's seemed more complicated than I thought.

https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L77

s/mapFields/map_fields/

is this was an existing pattern, then add an alias

create github project and npm module
please add me as collaborator and owner

I'm facing the same problem as in #20 and there is no answer for any open issues. Is this module going to be fixed/maintained?

https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L25

please use literal "auth"
variable named plugin is confusing as it is not a plugin, just a string
variable named name is not very unique, and
variable named plugin_name is ugly and too long

js files are so short that traditional rules re constants are not as useful

more consistent with other plugins

https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L131

userData -> user_data

please use in all other names as well

https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L229

use form:

seneca.act("role:auth,cmd:map_fields,action:register", {data: args.data}, function( err, details ) {

this is important as you need to handle sub properties
also this is used for all seneca plugins
e.g. https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L30

https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L30

https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L5

as per https://github.com/rjrodger/seneca/blob/master/seneca.js#L11

see seneca 0.6.3 as example

If try to authenticate with Google/Github and user has same email on both accounts, second attempt will fail with nick-already-exists error.