senecajs / seneca-auth Goto Github PK
View Code? Open in Web Editor NEWA Seneca user authentication plugin for Hapi and Express
Home Page: http://senecajs.org
License: MIT License
A Seneca user authentication plugin for Hapi and Express
Home Page: http://senecajs.org
License: MIT License
https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L25
please use literal "auth"
variable named plugin
is confusing as it is not a plugin, just a string
variable named name
is not very unique, and
variable named plugin_name
is ugly and too long
js files are so short that traditional rules re constants are not as useful
Passing an array as the value for the restrict
parameter doesn't overwrite the initial value set in auth.js.
There is a branch to be merged:
https://github.com/senecajs/seneca-auth/tree/0.5.0
This branch has also tests.
An old fork with fixes, needed to check if anything useful:
https://github.com/floridemai/seneca-auth/commits/master
A recent fork with linting and Lab, some of it can be reused:
https://github.com/mihaidma/seneca-auth
https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L194
s/trigger/hook/ as per https://github.com/rjrodger/seneca-transport/blob/master/transport.js#L91
provide aliases for old pattern
facebook callback url times out
https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L77
s/mapFields/map_fields/
is this was an existing pattern, then add an alias
Currently, 0.2.14
is on npm, but the current master is 0.4.0
. Does that need to be updated?
seneca-auth currently only returns a 401 for restricted requests that have a 'content-type' header which starts with 'application/json;'
I'd like to get a 401 response from GET requests sent by angular's $http service, but these don't include a content-type header (and it seems that the convention is to not include this header with GET requests in general).
Headers can be manually specified for requests:
$http.get('url', {headers: 'content-type': 'application/json'})
but angular actually strips out the content-type header if no data is included with the request see line 6633 ๐ง.
As a workaround, I'm using the longhand syntax for GET requests and including an empty data parameter:
$http({method: 'GET', url: 'url', data: '', headers: {'content-type': 'application/json'}})
or to achieve the same thing for all GET requests:
app.config(function ($httpProvider) {
$httpProvider.defaults.headers.get = $httpProvider.defaults.headers.get || {};
$httpProvider.defaults.headers.get['content-type'] = 'application/json';
});
Hi, i am trying to make latest version of seneca-auth working with seneca-google-auth.
Sofar i get the following error
No matching action pattern found for { role: 'user', get: 'user', google_id: '3495723894534' }
But i could not find such action in seneca-user plugin.
Any hints where to look for it?
https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L176
pass in other objects as parameters
can you use this to create ab automated test with a running server
see seneca-web for example of doing this
I was trying to run the examples of the different authentications strategies and both the github and the facebook ones gave the following error (I will post the facebook one, the one from the github example is identical but with github as service name):
Message: seneca: No matching action pattern found for { role: 'auth', cmd: 'register_service', service: 'facebook', plugin: { name: 'facebook', _verify: [Function], _oauth2: { _clientId: '359534030912271', _clientSecret: 'MYCLIENTSECRET', _baseSite: '', _authorizeUrl: 'https://www.facebook.com/dialog/oauth', _accessTokenUrl: 'https://graph.facebook.com/oauth/access_token', _accessTokenName: 'access_token', _authMethod: 'Bearer', _customHeaders: {}, _useAuthorizationHeaderForGET: false }, _callbackURL: 'http://localhost:3000/auth/facebook/callback', _scope: undefined, _scopeSeparator: ',', _state: undefined, _key: 'oauth2:www.facebook.com', _trustProxy: undefined, _passReqToCallback: undefined, _skipUserProfile: false, _clientSecret: 'MYCLIENTSECRET', _enableProof: undefined, _profileURL: 'https://graph.facebook.com/me', _profileFields: null }, conf: { appId: '359534030912271', appSecret: 'MYCLIENTSECRET', urlhost: 'http://localhost:3000' } }, and no default result provided (using a default$ property).
Thank you, Agustin.
this is more secure
Reset token should not be part of an not-restricted HTTP response.
The reset token should be sent on e-mail to the recipient for example, using custom client implementation that is not part of this module feature.
So create_reset_token will be able to create the token using seneca-user but not send it in the response.
If try to authenticate with Google/Github and user has same email on both accounts, second attempt will fail with nick-already-exists error.
create github project and npm module
please add me as collaborator and owner
Tested with user-accounts example.
After logging in, 'seneca-login' cookie is created and /auth/instance returns:
{
"user": {
"nick": "u1",
"email": "[email protected]",
"name": "nu1",
"when": "2013-08-28T10:36:48.615Z",
"id": "d66znz",
"accounts": [
"kge3gz"
],
"entity$": {
"base": "sys",
"name": "user"
}
},
"login": {
"0": "r",
"1": "o",
"2": "l",
"3": "e",
"4": ",",
"5": "c",
"6": "m",
"7": "d",
"entity$": "-/sys/login",
"role": "user",
"cmd": "login",
"nick": "u1",
"email": "u1",
"password": "u1",
"user": "d66znz",
"when": "2013-08-28T10:41:54.003Z",
"active": true,
"why": "password",
"token": "b778b2ae-d717-4ca7-a5ac-53e00a3d493d",
"id": "b778b2ae-d717-4ca7-a5ac-53e00a3d493d"
}
}
After logging out, the cookie still exists, /account is still accessible and /auth/instance returns:
{
"user": {
"nick": "u1",
"email": "[email protected]",
"name": "nu1",
"when": "2013-08-28T10:36:48.615Z",
"id": "d66znz",
"accounts": [
"kge3gz"
],
"entity$": {
"base": "sys",
"name": "user"
}
},
"login": {
"0": "r",
"1": "o",
"2": "l",
"3": "e",
"4": ",",
"5": "c",
"6": "m",
"7": "d",
"entity$": "-/sys/login",
"role": "user",
"cmd": "login",
"nick": "u1",
"email": "u1",
"password": "u1",
"user": "d66znz",
"when": "2013-08-28T10:41:54.003Z",
"active": false,
"why": "password",
"token": "b778b2ae-d717-4ca7-a5ac-53e00a3d493d",
"id": "b778b2ae-d717-4ca7-a5ac-53e00a3d493d",
"ended": 1377686639718
}
}
this is important as you need to handle sub properties
also this is used for all seneca plugins
e.g. https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L30
https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L30
Would anyone oppose a refactor to rely on code
expects rather than assert in all the tests?
(I volounter for the change an dPR)
@geek Updated to Chairo 2.0, now none of my auth stuff is working, detail below,
Message: seneca: Action role:web failed: Unknown authentication strategy session in /auth/logout.
Code: act_execute
Details: { id: 'u80225qqhsi5/bmob22drdesd',
gate: false,
ungate: true,
desc: undefined,
cb: [Function: noop],
fn: { [Function: web_use] validate: { use: {}, config: {}, plugin: {} } },
time: { start: 1454783485508 },
'orig$': [Error: Unknown authentication strategy session in /auth/logout],
'message$': 'Unknown authentication strategy session in /auth/logout',
message: 'Unknown authentication strategy session in /auth/logout',
If I remove the auth stuff chairo works ask expected so I think the issue is either in seneca-web
or the auth related plugins. @mirceaalexandru as has a number of branches outstanding for seneca-auth-*
.
Some combination of branches has worked but now I can't be sure. Can we get some eyes on this as priority? This is my script,
'use strict'
module.exports = (opts, server, done) => {
var seneca = server.seneca
//.use('user') // Note: swap this out for local concorda
//.use('auth', {restrict: '/api'})
.use('stats', {collector: true})
.use('toolbag-stats')
.use('influx-stats-store', {influx: {host: '192.168.99.100'}})
seneca.act({
role: 'user',
cmd: 'register',
name: opts.admin.name,
email: opts.admin.email,
password: opts.admin.password
})
seneca.ready(() => {
seneca.log.info('hapi', server.info.port)
server.start(done)
})
}
Note: By commenting out the lines above chairo works but now I am missing my auth. Also I'm not using Concorda in this instance, it's just auth
, user
, and local login.
create an examples folder showing some of the use-cases
place each one is a separate sub-folder
e.g.
examples/simple - plain local username/password
examples/twitter - local + twitter
examples/multiple - local + twitter + facebook + linkedin
examples/ldap = uses ldap for user passwords
etc
styling within a module needs to be consistent
( you are free to use your own style in your own modules - e.g. urlmatcher)
https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L127
please use spaces as follows: if( ... ) {
At the moment seneca-auth supports only a cookie(session) based authentication scheme. In order to support API-Only servers for native mobile apps (which is a common use-case in the Hapi world), seneca-auth should ideally support at least one additional token based scheme.
This can be implemented Using Hapi's chained strategies like so:
server.auth.strategy('session', 'cookie', token_auth_opts)
server.auth.strategy('token', 'bearer-access-token', cookie_auth_opts)
server.auth.default({
strategies: ['token','session']
})
In the above chained case, Hapi would first look for the specified token in the header, and if not found would then look for a cookie. The seneca login token can be used as the bearer token and as normal for session management.
Setting chained strategies as default would mean that endpoints that must not be restricted such as /auth/login
should have auth set to false on the route options.
If we do want to take this forward, I've taken a brief look at the necessary changes - it looks like in addition to the small changes to seneca-auth
, I believe we would need the following minor changes:
seneca-web
(line 452)add the || part to pass auth=false to the route config - like so:
if ((routespecs.auth && routespecs.auth !== 'none') || (routespecs.auth===false)) {
hapi_route.config.auth = routespecs.auth
console.log('modified seneca-web...:',hapi_route)
internals.server.route( hapi_route )
done()
}
seneca-local-auth
(hapi-local-auth.js line 23)add auth:false
to avoid the default chained strategy from applying to the login route like so:
map: {
login: {GET: true, POST: true, data: true,auth:false, alias: options.urlpath.login}
}
If we do want to take this fwd and you are ok with the changes in principle, I'm happy to make the proposed changes and submit relevant PRs.
Debug: internal, implementation, error
Error: Failed to encode cookie (seneca-login) value: Password string too short (min 32 characters required)
at /Users/mcdonnelldean/repos/vidi-dashboard/node_modules/hapi/node_modules/statehood/lib/index.js:436:34
at /Users/mcdonnelldean/repos/vidi-dashboard/node_modules/hapi/node_modules/hoek/lib/index.js:850:22
at doNTCallback0 (node.js:407:9)
https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L124
we're changing the conventional name for the input object to msg
from args
, to more closely align with microservices terminology
please change args
to msg
throughout the plugin
see seneca 0.6.3 as example
I'm facing the same problem as in #20 and there is no answer for any open issues. Is this module going to be fixed/maintained?
https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L131
userData -> user_data
please use in all other names as well
Examples do not work out-of-box.
Either build fails due to ursa v0.8.0 dependency (which cannot be built)
Previous versions fail too.
Seneca-auth 0.4.0 has google-auth embedded (i.e. not yet separate plugin)
That is why with older versions of seneca-auth,
seneca-google-auth plugins fails because cannot find "register_service" command
https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L216
in general avoid callbacks unless there is async work
https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L229
use form:
seneca.act("role:auth,cmd:map_fields,action:register", {data: args.data}, function( err, details ) {
https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L9
please do not make these plugins - they are simple utilities
please change them to be plain node modules
please also change the names - the seneca- prefix is special and denotes a plugin
also note that seneca plugins are not normally used in this manner; they are not normally required directly into a plugin - seneca plugins should normally be added from the top level only via seneca.use
(zeno is new seneca kernel for seneca 0.7)
https://github.com/senecajs/zeno/blob/master/package.json#L6
https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L16
this is not a module require - it is loading data, so needs to be separate and clearly commented
Hi,
I am trying to get the redirects working in Hapi but it seemed to return me the callback rather than the http redirect and the URL is showing localhost:10000/auth/login
{"http$":{"status":301,"redirect":"/"}}
module.exports = {
secure: true,
restrict: '/api',
server: 'hapi',
strategies: [
{
provider: 'local'
}
],
redirect:{
always: true,
win:'/',
fail:'/',
restrict:'/',
login: {win:'/',fail:'/#',},
logout: {win:'/login',fail:'/#',},
register: {win:'/login',fail:'/#',},
reset_create: {win:'/',fail:'/',},
reset_load: {win:'/',fail:'/',},
reset_execute: {win:'/',fail:'/',},
confirm: {win:'/',fail:'/',},
}
}
Am I doing it wrongly? I supposed it should be the similar approach with using Express but it's seemed more complicated than I thought.
only call seneca.act within init action (seneca.add("init:auth", ...)
)
https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L183
https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L127
you can say: seneca.add( "role:user,cmd:register", user_data )
as a convenience - the first argument properties will take precedence
because: https://github.com/rjrodger/seneca/blob/master/seneca.js#L1942
another naming convention change to microservices terminology
please use respond
instead of done
or cb
https://github.com/rjrodger/seneca-auth/blob/0.5.0/auth.js#L168
use done
instead of cd
for all normal callbacks
more consistent with other plugins
Email addresses are not case sensitive but in seneca-auth, when they are used for registration/login they are treated as if they were. This is a problem because users might forget whether they used an uppercase or not. Same point could be made when using nicknames.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.