
easy Heroku OAuth authentication for express

Primary LanguageJavaScript

node-heroku-bouncer Build Status

node-heroku-bouncer is an easy-to-use module for adding Heroku OAuth authentication to Express 4 apps.


$ npm install heroku-bouncer --save


  • Node 0.10.x
  • Express 4.x


Ensure your app is using the cookie-parser and client-sessions middlewares. This module is not guaranteed to work with any other session middleware.

var express      = require('express');
var cookieParser = require('cookie-parser');
var sessions     = require('client-sessions');
var bouncer      = require('heroku-bouncer');
var app          = express();

app.use(cookieParser('your cookie secret'));

// NOTE: These options are good general options for use in a Heroku app, but
// carefully review your own environment's needs before just copying these.
  cookieName    : 'session',
  secret        : 'your session secret',
  duration      : 24 * 60 * 60 * 1000,
  activeDuration: 1000 * 60 * 5,
  cookie        : {
    path     : '/',
    ephemeral: false,
    httpOnly : true,
    secure   : false

  oAuthClientID      : 'client-id',
  oAuthClientSecret  : 'client-secret',
  encryptionSecret   : 'abcd1234abcd1234'

app.get('/', function(req, res) {
  res.end('You must be logged in.');

After requests pass through the bouncer middleware, they'll have the heroku-bouncer property on them:

  token: 'user-api-token',
  id   : 'user-id',
  name : 'user-name',
  email: 'user-email'

To log a user out, send them to /auth/heroku/logout.


Options Required? Default Description
encryptionSecret Yes n/a A random string used to encrypt your user session data
oAuthClientID Yes n/a The ID of your Heroku OAuth client
oAuthClientSecret Yes n/a The secret of your Heroku OAuth client
oAuthScope No "identity" The requested scope for the authorization
oAuthState No null Optional oauth state or function that returns oauth state to be passed to oauth/authorize endpoint
herokuAPIHost No n/a An optional override host to send Heroku API requests to
newSessionCallback No null Optional callback to be invoked after successful session creation. Passed oauth access_token and refresh_token
sessionSyncNonce No null The name of a nonce cookie to validate sessions against
ignoredRoutes No [] An array of regular expressions to match routes to be ignored when there is no session active
oAuthServerURL No "https://id.heroku.com" The location of the Heroku OAuth server
herokaiOnlyHandler No null A route handler that will be called on requests by non-Herokai


$ npm test