15

Using: passport-google-oauth2.

I want to use JWT with Google login - for that I need to disable session and somehow pass the user model back to client. All the examples are using google callback that magically redirect to '/'.

How do I:
1. Disable session while using passport-google-oauth2.
2. res.send() user to client after google authentication.

Feel free to suggest alternatives if I'm not on the right direction.

Community
  • 1
  • 1
chenop
  • 4,743
  • 4
  • 41
  • 65
  • Check this out - It explains pretty clearly. https://cloud.google.com/nodejs/getting-started/authenticate-users – Muli Yulzary Nov 27 '16 at 13:29
  • @MuliYulzary Thanks, but in the example you gave there is an excessive use of session which I try to avoid. – chenop Nov 29 '16 at 19:25

2 Answers2

15

Manage to overcome this with some insights:
1. disable session in express - just remove the middleware of the session

// app.use(session({secret: config.secret}))

2. when using Google authentication what actually happens is that there is a redirection to google login page and if login is successful it redirect you back with the url have you provided.

This actually mean that once google call your callback you cannot do res.send(token, user) - its simply does not work (anyone can elaborate why?). So you are force to do a redirect to the client by doing res.redirect("/"). But the whole purpose is to pass the token so you can also do res.redirect("/?token=" + token).

app.get( '/auth/google/callback',
        passport.authenticate('google', {
            //successRedirect: '/',
            failureRedirect: '/'
            , session: false
        }),
        function(req, res) {
            var token = AuthService.encode(req.user);
            res.redirect("/home?token=" + token);
        });

But how the client will get the user entity? So you can also pass the user in the same way but it didn't felt right for me (passing the whole user entity in the parameter list...). So what I did is make the client use the token and retrieve the user.

    function handleNewToken(token) {
        if (!token)
            return;

        localStorageService.set('token', token);

        // Fetch activeUser
        $http.get("/api/authenticate/" + token)
            .then(function (result) {
                setActiveUser(result.data);
        });
    }

Which mean another http request - This make me think that maybe I didnt get right the token concept. Feel free to enlighten me.

chenop
  • 4,743
  • 4
  • 41
  • 65
  • have you come with some sort of a solution? I have the same problem and I can't set headers after Google callback redirect – lomboboo Jan 12 '17 at 20:00
  • Please check [passport-google-oauth-jwt](https://www.npmjs.com/package/passport-google-oauth-jwt) also very useful if you don't want to use session – Gagan Apr 25 '17 at 05:10
  • And If you don't want to use session please use [passpor-jwt](https://www.npmjs.com/package/passport-jwt) – Gagan Apr 25 '17 at 05:20
  • @Gagan not sure if its relevant to the discussed issue, Can you please elaborate? – chenop Apr 25 '17 at 12:22
  • @chenop As you were looking for session less authentication. passport-jwt is quite suitable for auth without session. And if any user comes here he/she will get the related info. – Gagan Apr 25 '17 at 18:39
  • @Gagan How do I create no session in that code(textuploader.com/dlkxz) without using serialize/deserialize method? I am going to use JWT instead of session. – Internial Nov 01 '17 at 00:30
  • @Internial youre question is not clear - could you elaborate? – chenop Nov 02 '17 at 07:56
  • I'm using the same technique: what I do is that the first redirect with the ``?token=`` is sending a short-lived token stored in my DB, then when the client gets this token and makes a loginWithToken request, I generate a normal long term token thus allowing the user to login. – HRK44 Feb 14 '18 at 08:16
1

Initialize passport in index.js:

app.use(passport.initialize());

In your passport.js file:

passport.use(
new GoogleStrategy(
{
 clientID: process.env.GOOGLE_CLIENT_ID,
 clientSecret: process.env.GOOGLE_CLIENT_SECRET,
 callbackURL: 
'http://localhost:3000/auth/google/redirect',
},
async (accessToken, refreshToken, profile, 
callback) => {
  // Extract email from profile
  const email = profile.emails![0].value;

  if (!email) {
    throw new BadRequestError('Login failed');
  }

  // Check if user already exist in database
  const existingUser = await User.findOne({ email 
});

  if (existingUser) {
    // Generate JWT
    const jwt = jwt.sign(
      { id: existingUser.id },
      process.env.JWT_KEY,
      { expiresIn: '10m' }
    );

    // Update existing user
    existingUser.token = jwt
    await existingUser.save();

    return callback(null, existingUser);
  } else {

    // Build a new User
    const user = User.build({
      email,
      googleId: profile.id,
      token?: undefined
    });

    // Generate JWT for new user
      const jwt = jwt.sign(
      { id: user.id },
      process.env.JWT_KEY,
      { expiresIn: '10m' }
    );
   
    // Update new user
    user.token = jwt;

    await auth.save();

    return callback(null, auth);
  }
}));

Receive this JWT in route via req.user

app.get('/google/redirect', passport.authenticate('google', 
{failureRedirect: '/api/relogin', session: false}), (req, res) => {
// Fetch JWT from req.user
const jwt = req.user.token;
req.session = {jwt}
// Successful authentication, redirect home
res.status(200).redirect('/home');
}
chtn
  • 11
  • 1
  • Nice one, this was the bit that was throwing me. Specifically including the failureRedirect and session: false in the redirect route `passport.authenticate('google', {failureRedirect: '/api/relogin', session: false})` Thanks for the suggestion! – Kitson Jan 07 '23 at 16:25