stormpath / express-stormpath Goto Github PK

Currently, express-stormpath outputs raw error pages when something happens. From what I can see, it's output a lot of res.send(400) or res.send(500) on "human facing" pages. I can understand for an API route, but for a page that a user can see, having a 400 Bad request is less than desired.

My take on this would be to add a template for errors and use it to render them properly.

We saw this when accessing an account verification link twice, which is not really an edge case. In this case, it could also be useful to having the error message to let the user know what is going on.

Do you already have plans for this problem or should I go ahead and try to fix this?

Like the auto-login feature post-registration when the verification flow is disabled, we would like to have a similir functionnality post-password change. From a UX perspective, it makes little sense to have a auto-login at the registration but not at after the password reset.

I would like very much to add this (fully optional) feature to the lib.

What do you think? I would probably have a PR tomorrow.

If you hit an endpoint that requires the Stormpath application, and it has not yet been fetched from the a API, you'll git a bad reference exception.

We want to make two improvements:

• Have an async getter (promise?) for the application reference, and send down a 500 error if the reference isn't available yet
• Provide an .on('ready') type of handler that a user can use, if they want to wait for stormpath to be ready before they bootstrap their server

For example:

https://github.com/stormpath/stormpath-express/blob/master/lib/helpers.js#L176

That will always evaluate to true, even if I define false in the opts object

The unauthorized page is not passing app to locals variables which makes it unaccessible in the template. This part is useful to pass shared variables to the templates. It crashes if your base template is using #{app.get(...)}. One way to fix it would be to set the app before each helpers.render(req.app.get('stormpathUnauthorizedView'), res); or create something like helpers.renderUnauthorizedView which would do it internally.

As discussed in #20, express-stormpath should also provide a password change page. This should be almost the same as the password reset one, but instead of verifying a token, the current password should be provided. This page should only be accessible by authenticated users. I think it should also be possible to configure whether or not you should sign in again after the password change. Either way, all other sessions (or all sessions in case of a log out after the change) should be nuked to prevent unauthorized access from another computer/browser.

We are most likely going to tackle this problem in our app in the next two weeks and since this is a generic thing, I think it should go in express-stormpath.

Thoughts?

Hi,

I am trying to use the stormpath-express SDK, but for some reason the request body(on a POST request) goes away thus making the SDK incompatible with baucis(which adds on to Express.js and allows regular Express middleware)

I looked at the code that's doing the initializing of the stormpath SDK but I couldn't figure out why the request data is getting lost along the way before its passed to the appropriate baucis controller (controllers translate into Express 4 Routes)

I'm guessing it might be an issue with the body-parser middleware, but I would really appreciate it if you can take a look and see if you can find what the problem might be.

p.s. If you want me to I can also create a repo with a simple baucis app which reproduces this issue.

We don't have any post registration stuff available for social.

Maybe I'm doing something really dumb, but I've spent some time banging my head against this and can't get it to work.

I'm trying to present a reg form that requires simply Username, Email, and Password. But when I try and register, the form comes back with the alert, "Account givenName cannot be null, empty, or blank."

In my code I have:

app.use(stormPath.init(app, {
    // ...
    enableUsername: true,
    requireUsername: true,
    enableGivenName: false,
    requireGivenName: false,
    enableSurname: false,
    requireSurname: false,
    // ...
}));

I've added some debug output to the helpers.collectFormErrors function but that doesn't seem to be where the alert is coming from. It's almost as if the validation is failing over at the stormpath server.

Thanks for any advice!
bobby

I'm impressed with the Express-Stormpath module and seriously considering implementing it. I'm currently using passport-stormpath but still very lightly integrated.

The one feature I don't see that would be useful would be group authentication based on the route params, i.e. (based on example from documentation)

app.get('/admin/:association', stormpath.groupsRequired([':association']), function(req, res) {
  res.send('If you can see this page, you must be in the `' + req.params.association + '` association!');
});

The idea being that a route like '/admin/myassociation' would require membership in the 'myassociation' group.

(my appologies this should go to Stormpath support, not on issues)

controllers.js line 517~

after retrieving auth code from google, APP.getAccount is called but err is returned with

{ name: 'ResourceError',
status: 400,
code: 7200,
userMessage: 'Oops! We encountered an unexpected error. Please contact support and explain what you were doing at the time this error occurred.',
developerMessage: 'Stormpath was not able to complete the request to Google: this can be caused by either a bad Google directory configuration, or the provided account credentials are not valid. Google error message: 400 Bad Request',
moreInfo: 'http://docs.stormpath.com/errors/7200',
message: 'HTTP 400, Stormpath 7200 (http://docs.stormpath.com/errors/7200): Stormpath was not able to complete the request to Google: this can be caused by either a bad Google directory configuration, or the provided account credentials are not valid. Google error message: 400 Bad Request'
}

I have a very simple angular page , served statically by express

index.html

..snip..

I wanted to add auth to the app, so put this into my node program

app.get('/',stormpath.loginRequired,function(req,res) {
res.sendfile('index.html');
})

so, I fire up the server, go to the url, and I get a login screen. Working well. Enter the username & password, and I get

{{config}}

in the browser.

If I press refresh, then I don't get a login , but get the expected result on the page

{"date":"2014-12-10T13:46:18.706Z","currentTimeStamp":"never"}

so, it seems as if angular is not working / present when the page is first sent after login, but after a successful login, any refresh causes things to work properly

what am I doing wrong ?

As I was making sure the analytics were set on each page of our app, I figure out I would not be able to do it on all of express-stormpath pages since I do not control the context passed to those pages. Would it make sense to pass an object to the init function like extraTemplateContext with predefined values to be passed to those templates? I would need to pass things like analytic service ID.

I can provide a pull request today if you want.

Using || to set default value will not work when implicitly using false, as || is checking for falsey and not undefined. This is only an issue when the default value is true.

For instance

app.set('stormpathEnableSurname', opts.enableSurname || (process.env.STORMPATH_ENABLE_SURNAME === 'true') || true);

will not work as expected when deliberately setting opts.enableSurname (or STORMPATH_ENABLE_SURNAMEof course) to false.

I'm not submitting a pull request for this one as selecting which route to take for default configurations is highly opinionated and you might have your preferred approach already.

I've followed the quickstart guide (and, may I say, great job!) and got auth working just fine on certain routes.

however, I'm a little stuck on how to ensure that authentication is done on all routes, even static ones.

I have this in my app

app.use(loopback.static(path.resolve(__dirname, '../client')));

how can I force a user to login before accessing the site ?

thanks !

We should make this work with our Angular.js SDK by modifying the way sessions work: we should switch from storing a plain-old user href as the session cookie to storing a JWT.

Hi guys,

I just experienced the same error as #22 on the login page. The same workaround could be used to fix it I guess.

having a problem with sub domains and a password reset

for every new customer of our app (demo) we spin up a new sub domain, so we have

foo.demo.com
bar.demo.com

now, we obviously don't want to have to create a new app for every potential customer, so we are using a demo application in stormpath, and groups (foo/bar/etc) to authorise access to each sub domain

however, the password reset mechanism requires a fixed callback url - which obviously doesn't work with sub domains.

how can we get round this problem ?

Hi,

I just encountered a problem with the password change form. The forms library expects the form value to be in the querystring if the form is handled on a GET. Since the password reset form puts parameters (token) in the URL, the form seems to be handled like if it was submitted on a GET and generates a "Password required" error when the page loads.

I did some digging and it seems to me that it's the desired behavior from that lib and it doesn't seems like there's a workaround for that.

Any idea? Maybe another form library might do the trick?

If using email verification, when attempting to login as an unverified user (with correct credentials) the standard error message is returned...'Invalid username or password.'

It would be much better if a message reminding the user that they need to verify their email was displayed.

Thanks!

I'm initializing my Express app using the suggested env variables and the following code:

// Attach Stormpath
app.use(stormpath.init(app, {
    secretKey: ''
}))

However, shortly after I start my app, I get a hard crash with only the following error:

ResourceError: HTTP 404, Stormpath 404 (mailto:[email protected]): The requested resource does not exist.

I'm not really sure how to debug this...there are no other details provided by the error/crash.

Install shows the following:

npm WARN deprecated [email protected]: Please update to the latest version to ensure the latest security fixes in "qs"

Please consider updating dependency in future release.

Thanks!

When enabling expandGroups or expandProviderData etc, the response times (caching in memcached enabled!) go from a few millisecs to over 1 second. Seems that info is not being cached? Also, when using the middleware (app.use), but not using a loginRequired on that route, is still really slow.

When following the quickstart guide: "If you’d prefer to specify your API credentials without using an apiKey.properties file, you can also do that easily by setting the following two environment variables: STORMPATH_API_KEY_ID=xxx" Kept resulting in:

...helpers.js:169 ERROR: No Stormpath credentials specified.

After trying several different ways to set the credentials, finally reviewed source to find a casing problem on the checkSettings function, capital 'D' in ID in /lib/helpers.js:166:

(app.get('stormpathApiKeyID') && ...

This doesn't match other usages of 'stormpathApiKeyId', lower case 'd'.

Workaround: To set credentials without a keyfile you can still use the environment variable 'STORMPATH_API_KEY_ID' by setting the following in your application code to circumvent the validation:

app.set('stormpathApiKeyID', 'not used');

Potential fix - helpers.js line 166:
(app.get('stormpathApiKeyId') && app.get('stormpathApiKeySecret')) ||

We were wondering what would happen if one of our users lost, deleted, forgot the verification email. Do you have plan to have a resend verification page or something like that? Currently it seems like the user would be in some sort of limbo state where he can't reset his password nor signup with the same email.

Please correct me if I'm wrong, but right now the module is tied to an application's main directory. It would be nice to have support to choose other directories in an application to use.

Here's my use case: I am building a microservice architecture with each microservice using express-stormpath's oauth2 functionality. I've gotten it to work wonderfully with an application. There will only be a handleful of api consumers (developers) for each microservice, so giving each microservice it's own directory in a single application would be most ideal so we don't have to create a new application for every microservice when each microservice is really only going to have around 5-10 api developers.

Currently if I modified custom data in the Admin UI,
the server cache hide the modification to my webpage.

Can we set false to the cache option for custom data only for example ?

As far as I can tell the customData is not expanded.

I'm doing this check, but it is getting called with every request.

var spUser = res.locals.user;

if(Object.keys(spUser.customData).length == 1){
  console.log("Loading customData.");
  spUser.customData.get(function(err,customData){
    if(!err){
      _.merge(res.locals.user.customData, customData);
    }
  });
}

Documentation says that by default, session expires after one month but in fact, it expires after 30 minutes

By default, sessions will not expire for one month (out of convenience).

Code which defines default value:
https://github.com/stormpath/stormpath-express/blob/1.0.3/lib/settings.js#L60

app.set('stormpathSessionDuration', opts.sessionDuration || parseInt(process.env.STORMPATH_SESSION_DURATION) || 1000 * 60 * 30);

On line 180 of authentication.js, the query parameters are explicitly stripped off from the URL before redirecting to the login page.

var url = req.app.get('stormpathLoginUrl') + '?next=' + encodeURIComponent(req.originalUrl.split('?')[0]);

This means that if you navigate to a page with query parameters and are redirected to login, you will not arrive back at the original page once you complete login. It looks intentional though. What was the rationale?

I'm having an issue with the lastest release where sometimes the account is not expanded. This only appears to happen after a user goes through the verification process. The account href is the only information that makes it into the redis record, then when the user logs in the cached record is loading but the account isn't expanded any further.

I was only checking that the user property was being set, not that the account was expended, I can easily address this on my end, but I thought you may want to be informed.

I realize this may be an SDK issue related to the changes in 0.6.0 but I thought I'd start the discussion here.

Hey,

we are currently doing a pass on our UX for our authentication flow and we would like to customize error messages coming from the API. Currently, if we request a password reset for a unknown email, we get a not-so-human-friendly error "Invalid email.".

Would it be possible to customize such messages? It could be enough for us if we had to provide a "translation" for those and they would be rendered using it. I know we could do it on the template side, but I find this solution not really elegant since it would put too much logic to my taste in the template.

For a few minutes, I got the following error during startup of my application.

Stormpath seems to have responded with a 503 status code, which crashed the app.

Meanwhile, everything is working fine again, so I assume that there is an uncaught issue when creating the callback for the request module.

ERROR

/bastian/appxyz/node_modules/express-stormpath/node_modules/stormpath/lib/error/ResourceError.js:7
  this.status = responseBody.status;
                            ^
TypeError: Cannot read property 'status' of undefined
    at new ResourceError (/bastian/appxyz/node_modules/express-stormpath/node_modules/stormpath/lib/error/ResourceError.js:7:29)
    at Request.onRequestResult [as _callback] (/bastian/appxyz/node_modules/express-stormpath/node_modules/stormpath/lib/ds/RequestExecutor.js:96:23)
    at Request.self.callback (/bastian/appxyz/node_modules/express-stormpath/node_modules/stormpath/node_modules/request/request.js:123:22)
    at Request.emit (events.js:98:17)
    at Request.<anonymous> (/bastian/appxyz/node_modules/express-stormpath/node_modules/stormpath/node_modules/request/request.js:1047:14)
    at Request.emit (events.js:117:20)
    at IncomingMessage.<anonymous> (/bastian/appxyz/node_modules/express-stormpath/node_modules/stormpath/node_modules/request/request.js:998:12)
    at IncomingMessage.emit (events.js:117:20)
    at _stream_readable.js:929:16
    at process._tickCallback (node.js:419:13)

ORIGIN stormpath/lib/ds/RequestExectuor.js

if (response.statusCode > 399) {
      return callback(new ResourceError(body), null);
    }

Hi everyone,

What's the best way to go about performing logic when an account is registered, with email verification enabled?

Regarding this "issue":

• Last commit: a4c6856
• Branch: master

In lib/controllers.js there is the following block starting on line 162:

        // If we get here, it means the account was successfully created.
        if (!err && !req.app.get('stormpathEnableAccountVerification')) { <--------------------- HERE
          if (req.app.get('stormpathPostRegistrationHandler')) {
            req.app.get('stormpathPostRegistrationHandler')(req.user, req, res, function() {
              var url = req.query.next || req.app.get('stormpathRedirectUrl');
              res.redirect(302, url);
            });
          } else {
            var url = req.query.next || req.app.get('stormpathRedirectUrl');
            res.redirect(302, url);
          }
        }

I could do it on Login, but it's a bit more messy. I'll do that if I have to, just wondering if there is a better way (or this creates a potential solution).

Thanks alot!

-- adarqui

Would it be possible to show the password change view directly without having to issue a password reset email. We would want the user to be able to change it directly in our app if he's logged in. I tried to access /forgot/change directly and I got :

Error: Can't set headers after they are sent.
    at ServerResponse.OutgoingMessage.setHeader (http.js:689:11)
    at ServerResponse.header (/home/marcolem/Development/radialpoint/reveal-site/node_modules/express/lib/response.js:662:10)
    at ServerResponse.send (/home/marcolem/Development/radialpoint/reveal-site/node_modules/express/lib/response.js:146:12)
    at fn (/home/marcolem/Development/radialpoint/reveal-site/node_modules/express/lib/response.js:896:10)
    at /home/marcolem/Development/radialpoint/reveal-site/node_modules/hogan-express/hogan-express.js:169:20
    at /home/marcolem/Development/radialpoint/reveal-site/node_modules/hogan-express/hogan-express.js:40:14
    at fs.js:271:14
    at Object.oncomplete (fs.js:107:15)
express deprecated res.send(status): Use res.status(status).end() instead node_modules/express-stormpath/lib/controllers.js:326:11

Error: Can't set headers after they are sent.
    at ServerResponse.OutgoingMessage.setHeader (http.js:689:11)
    at ServerResponse.header (/home/marcolem/Development/radialpoint/reveal-site/node_modules/express/lib/response.js:662:10)
    at ServerResponse.send (/home/marcolem/Development/radialpoint/reveal-site/node_modules/express/lib/response.js:146:12)
    at /home/marcolem/Development/radialpoint/reveal-site/node_modules/express-stormpath/lib/controllers.js:326:11
    at Object.wrapGetResourceResponse [as _wrapGetResourceResponse] (/home/marcolem/Development/radialpoint/reveal-site/node_modules/express-stormpath/node_modules/stormpath/lib/ds/DataStore.js:66:12)
    at onGetResourceRequestResult (/home/marcolem/Development/radialpoint/reveal-site/node_modules/express-stormpath/node_modules/stormpath/lib/ds/DataStore.js:277:13)
    at Request.onRequestResult [as _callback] (/home/marcolem/Development/radialpoint/reveal-site/node_modules/express-stormpath/node_modules/stormpath/lib/ds/RequestExecutor.js:96:14)
    at Request.self.callback (/home/marcolem/Development/radialpoint/reveal-site/node_modules/request/request.js:123:22)
    at Request.emit (events.js:98:17)
    at Request.<anonymous> (/home/marcolem/Development/radialpoint/reveal-site/node_modules/request/request.js:1047:14)

I am using 0.4.5 from npm

When registering if there is an error - weak password, invalid email - all the fields are cleared.

It would be nice if the valid data, like first/last name, was refilled.

Right now, this library initializes its own session stuff as req.session. This is a problem for many people, as most node libraries initialize their own session stuff under the same name -- this causes issues.

What I'd like to do is migrate all Stormpath session stuff to req.stormpathSession, this way there will be no chance of conflict for non-auth related sessions.

I've got about 99% of this code ready to ship, but the CSURF library doesn't currently support anything other than req.session, which is a blocker for this.

I've opened a ticket on the CSURF library page: expressjs/csurf#66

If the author gives me the go ahead, I'll submit a PR to their project, and then once released, push the changes into this library.

Hi
I'm planning a site for health data and I would like to store the users in a secure system like stormpath.

When I read on your site and search the net I see that linkedIn support is mentioned. But I can't find if it is something that is planned or something that is there.

Regards
Terje

The way the middleware is wired, by adding stormpath.init to our app.use, all calls to the app server result in a call to Stormpath via stormpath.Client.getAccount. I'm not sure if this is intentional, or if something should be caching in the stack - I know it's a new library! :) But this results in undesirable behavior:

1. All calls to every resource generate a call to Stormpath (again, not clear on intention), but...
2. Interesting effect of that, once a user logs in, accessing areas not covered by loginRequired (e.g. home page, public docs) still results in Stormpath calls.

Tracing out the process here for reference:

Following the setup procedure we add the following as middleware.
app.use(stormpath.init(app, {
...
}

This returns a middleware function that calls .getUser(...) on all requests at stormpath.js:121
async.series([
function(callback) {
helpers.getUser(req, res, callback); // <-
}
], function() {

.getUser(...) in helpers.js, starting line 72, calls .getAccount(...) resulting in a Stormpath call.

module.exports.getUser = function(req, res, next) {
if (req.session && req.session.user) {
req.app.get('stormpathClient').getAccount(req.session.user.href, { expand: 'customData,groups' }, function(err, account) {
if (err) {
req.session.reset();
} else {
req.session.user = account;
res.locals.user = account;
}
next();
});
} else {
next();
}
};

Thanks!

rather than raising tickets all the time to ask questions, is there an email group or irc that I can communicate with ?

I am wanting to save customer data when registering a new user - but was wondering how to do this with the standard jade forms supplied with stormpath-express

thanks

Right now, if a user opens up a page (login / registration), waits for a bit (for their session to expire), then submits the form -- they'll receive a CSRF error page.

This is quite ugly, and instead we should override this functionality with a custom flashed message of some sort, and re-render the page the user was on.

For some reason, if you disable first name / last name fields, the registration page still enforces them :(

Hi guys,

there is a problem when using groupsRequired on a view. I think you'll understand with the following flow for an authenticated user:

GET /admin -> oh! not in the "admin group".. send to login -> GET /login?next=/admin 
-> oh! you are already signed in -> GET /admin -> oh! not in the "admin group"... send to login -> GET /login .....

I'm not too sure how to fix this without disabling the auto login feature.

Any ideas?

I’m starting out with StormPath by using this repository and following the link from here to the Quickstart at

https://docs.stormpath.com/nodejs/express/quickstart.html

... and I think there is a problem: the current documentation shows that index.js requires 'express-stormpath’, but package.json doesn't include it among its dependencies.

index.js

var stormpath = require('express-stormpath’);

The dependencies in package.json

  "dependencies": {
    ...
    "stormpath": "^0.7.3",
    ...
  }

index.js (currently) has this:

/**
 * Expose the `stormpath` library.
 *
 * @property stormpath
 */
module.exports = require('./lib/stormpath’);

As a beginner I couldn't make that work. Maybe I caught things in the middle of a change in both code and documentation not yet finalized.

Is it actually possible to specify a templating engine other than jade?

The docs indicate EJS support, but I couldn't get this to work as documented. It looks like Jade is a hard dependency.

Frankly, I don't want to use Jade or EJS... my engine of choice is Nunjucks. Any thoughts on making this happen?

Currently testing the stormpath module and found that every time I would log out I would receive this Object <#Session> has no method reset()

I checked my express-stormpath/lib/controllers.js and found this.

module.exports.logout = function(req, res) {
  if (req.session) {
    req.session.reset();
  }

  res.redirect('/');
};

I switched req.session.reset() to req.session.destroy() to fix this temporarily but I wanted to know what the root cause was. Let me know if there is any more info I can provide to help you.

Thanks!

Just as the authenticationRequired middleware will return json where 'accept' headers specify, it would be great if the groupsRequired middleware could do this too.

I need an option of being able to add a Confirm Password field beneath the Password field on the default Create Account form. This Confirm Password field exists on the Create Account form in the Admin Console.

First off, I've really enjoyed using Stormpath so far. Great work!

I'm looking to enable caching for my app. I see that the product guide describes how you can tell stormpath what the host, port, and auth options are for the cache and then it makes its own connection to the cache.

Why not just accept an already configured cache client as well? I ask because in my app I have several other components that depend on a redis client, so instead of creating a client for every component I create one client and inject it into every component that needs it. The connection details change depending on the stage of the app so by using injection I isolate the stage/connection details to the one part of my app that is responsible for creating the client.

I explained my use case, and I think in general this would provide value for other users as well. What are your thoughts? I'd be willing to submit a PR if you like this idea.

Thanks again!

Currently the stormpathSession cookie returned after a successful authorization is set to host-only and cannot be used on subdomains. It would be nice of stormpath-express supported an option to allow cookies on subdomains.