Using OAuth 1.0 without sessions
Closed this issue · 1 comments
I'm working with a stateless API, so no sessions are being maintained currently, for every authorised request, a jwt is required. This works fairly well with OAuth 2 applications where a state parameter is optional.
For example:
router.get('/', passport.authenticate('jwt', { session: false }), (req, res, next) => {
passport.authorize('facebook', { state: req.query.state })(req, res, next);
});
In the callback, I can just look for the jwt in the query parameters.
With OAuth 2 it's a different story, the callback needs to somehow know which user has authorised their Twitter account.
router.get('/', passport.authenticate('jwt', { session: false }), (req, res, next) => {
passport.authorize('twitter')(req, res, next);
});
// How do I get the callback to work
router.get('/callback', passport.authenticate('jwt', { session: false }), (req, res, next) => {
passport.authorize('twitter', (err, user, info) => {
})(req, res, next);
});
I understand I need to maintain a session for this, but what would be the best implementation for this? Does passport provide a solution? Or am I looking at a custom implementation?
I'm far from sure if this is the correct solution, but what I did was implemented the serializeUser and deserializeUser methods again.
Then when calling the first twitter auth route:
router.get('/', passport.authenticate('jwt', { session: true }), (req, res, next) => {
// Manually start a session
req.login(req.user, err => {
if (err) {
return res.status(401).send({
success: false,
error: err
});
}
return passport.authorize('twitter', { state: req.query.state })(req, res, next);
});
});
Here I'm manually logging in a user by calling req.login. The callback URL is fairly simple, because we created a session before, we now have access to req.user.
router.get('/callback', (req, res, next) => {
passport.authorize('twitter', (err, user, info) => {
console.log(req.isAuthenticated());
console.log(req.session);
console.log(req.user);
})(req, res, next);
});
module.exports = router;