From 14a9095fa44f12f75d27e53b5e9ee15c805abeb8 Mon Sep 17 00:00:00 2001 From: Jochem Maas Date: Tue, 22 Oct 2013 15:29:28 +0200 Subject: [PATCH 1/2] make this strategy accept the "passReqToCallback" option I have the same requirements for 'post login processing' when someone logs in with a "remember-me" cookie (as compared to other auth strategies in use) in order to be able to call my handler(s) for 'post login processing' I need to pass in the `req` object - in my case session data needs to be set, specifically I track the kind of login used so that I can request/require that a user verifies 'account-id + passwd' before updating sensitive data if the user initially logged in with a "remember-me" cookie (or some other one-time-pass) --- lib/strategy.js | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/lib/strategy.js b/lib/strategy.js index a743248..6e47a50 100644 --- a/lib/strategy.js +++ b/lib/strategy.js @@ -29,6 +29,7 @@ function Strategy(options, verify, issue) { this.name = 'remember-me'; this._verify = verify; this._issue = issue; + this._passReqToCallback = !!options.passReqToCallback; } /** @@ -94,10 +95,16 @@ Strategy.prototype.authenticate = function(req, options) { return self.success(user, info); } - self._issue(user, issued); + if (this._passReqToCallback) + self._issue(req, user, issued); + else + self._issue(user, issued); } - self._verify(token, verified); + if (this._passReqToCallback) + self._verify(req, token, verified); + else + self._verify(token, verified); } From 2ebbe2c665c704de4948b7247fa56874ceac06fa Mon Sep 17 00:00:00 2001 From: Jochem Maas Date: Tue, 22 Oct 2013 15:54:18 +0200 Subject: [PATCH 2/2] use "self" not "this" - in order to reference the correct object! --- lib/strategy.js | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/lib/strategy.js b/lib/strategy.js index 6e47a50..4e47769 100644 --- a/lib/strategy.js +++ b/lib/strategy.js @@ -20,11 +20,11 @@ function Strategy(options, verify, issue) { } if (!verify) throw new Error('remember me cookie authentication strategy requires a verify function'); if (!issue) throw new Error('remember me cookie authentication strategy requires an issue function'); - + var opts = { path: '/', httpOnly: true, maxAge: 604800000 }; // maxAge: 7 days this._key = options.key || 'remember_me'; this._opts = utils.merge(opts, options.cookie); - + passport.Strategy.call(this); this.name = 'remember-me'; this._verify = verify; @@ -48,24 +48,24 @@ Strategy.prototype.authenticate = function(req, options) { // authenticated. This is in preference to the session, which is typically // established at the same time the remember me cookie is issued. if (req.isAuthenticated()) { return this.pass(); } - + var token = req.cookies[this._key]; - + // Since the remember me cookie is primarily a convenience, the lack of one is // not a failure. In this case, a response should be rendered indicating a // logged out state, rather than denying the request. if (!token) { return this.pass(); } - + var self = this; - + function verified(err, user, info) { if (err) { return self.error(err); } - + // Express exposes the response to the request. We need the response to set // a cookie, so we'll grab it this way. This breaks the encapsulation of // Passport's Strategy API, but is acceptable for this strategy. var res = req.res; - + if (!user) { // The remember me cookie was not valid. However, because this // authentication method is primarily a convenience, we don't want to @@ -80,11 +80,11 @@ Strategy.prototype.authenticate = function(req, options) { // http://jaspan.com/improved_persistent_login_cookie_best_practice // http://web.archive.org/web/20130214051957/http://jaspan.com/improved_persistent_login_cookie_best_practice // http://stackoverflow.com/questions/549/the-definitive-guide-to-forms-based-website-authentication - + res.clearCookie(self._key); return self.pass(); } - + // The remember me cookie was valid and consumed. For security reasons, // the just-used token should have been invalidated by the application. // A new token will be issued and set as the value of the remember me @@ -94,14 +94,14 @@ Strategy.prototype.authenticate = function(req, options) { res.cookie(self._key, val, self._opts); return self.success(user, info); } - - if (this._passReqToCallback) + + if (self._passReqToCallback) self._issue(req, user, issued); else self._issue(user, issued); } - - if (this._passReqToCallback) + + if (self._passReqToCallback) self._verify(req, token, verified); else self._verify(token, verified); @@ -110,5 +110,5 @@ Strategy.prototype.authenticate = function(req, options) { /** * Expose `Strategy`. - */ + */ module.exports = Strategy;