passportjs

[uniquejava]

这里是最详尽的文档: http://passportjs.org/docs/authenticate
上面的文档对flash message的叙述有误
见Node.js Authentification with Passport: How to flash a message if a field is missing?

其中有提到这篇博客: https://scotch.io/tutorials/easy-node-authentication-setup-and-local
写得非常详细.

Quick start

要快速开始可以看github page首页上的express 4 demo, 按我的理解快速记下几个要点:

passport只用在login的那一刻, 也就是说, 有且只用在一个地方.

router.post('/login', passport.authenticate('strategyName', {params}), (req, res) => {
 //这里就可以使用req.user得到用户, 会包含在 deserializeUser 函数中传入的 user 数据
}

在其它地方可以使用req.isAuthenticated()来判断用户是否登录了, 但我们一般都会把user放在session里, 然后判断req.session.user是否存在, 所以这个isAuthenticated方法不是很有必要.

要使用上面的代码能正常运行, 需要向passport注册一些Strategy(目前有300多种strategy可用), 官网首页上有个列表, qq, weibo, weixin, twitter, facebook你能想到的都在里边.

这个strategy name默认叫'local', 就是常用的用form表单提交用户密码的情况.
以下是配置部分, 用代码说话:

Strategies 注册Strategy

passport.use(/* 'your random strategy name here' */, new LocalStrategy(
 function(username, password, done) {
 User.findOne({ username: username }, function (err, user) {
 if (err) { return done(err); }
 if (!user) { return done(null, false); }
 if (!user.verifyPassword(password)) { return done(null, false); }
 return done(null, user);
 });
 }

Sessions 序列化与反序列化

passport.serializeUser(function(user, done){
 done(null, user.id);
});

passport.deserializeUser(function(id, done){
 User.findById(id, function (err, user){
 done(err, user);
 });
});

Middleware 依赖的组件

var app = express();
app.use(require('serve-static')(__dirname + '/../../public'));
app.use(require('cookie-parser')());
app.use(require('body-parser').urlencoded({ extended: true }));
app.use(require('express-session')({ secret: 'keyboard cat', resave: true, saveUninitialized: true }));
app.use(passport.initialize());
app.use(passport.session());

Authenticate Requests 仅用在登录处

app.post('/login', 
 passport.authenticate('local', { failureRedirect: '/login' }),
 function(req, res) {
 res.redirect('/');
 });

也可以这样

router.post('/', passport.authenticate('local', { successRedirect: 'http://localhost:3000', failureRedirect: '/login' }));

References

http://passportjs.org/

https://github.com/jaredhanson/passport

使用passportjs进行登录验证

使用 passport.js 完成后台验证

[uniquejava]

关于flash message

cyper实战一, 定义 passport.local.js:

var passport = require('passport');
var fs = require('fs');
var path = require('path');
var _ = require('underscore');
var LocalStrategy = require('passport-local').Strategy;

passport.use(new LocalStrategy({
 usernameField: 'username',
 passwordField: 'password',
 passReqToCallback: true
 },
 function (req, username, password, done) {

 fs.readFile(path.join(__dirname, './data/users.json'), 'utf8', function (err, doc) {
 if (err) {
 return done(err);
 }
 var doc = JSON.parse(doc);

 var user = _.findWhere(doc, {username: username});
 if (!user) {
 req.flash("field", "username");
 req.flash("message", "Incorrect username.");
 return done(null, false);
 }

 if (user.password !== password) {
 req.flash("field", "password");
 req.flash("message", "Incorrect password.");
 return done(null, false);
 }

 return done(null, username);

 });
 }
));

passport.serializeUser(function (user, done) {
 done(null, user);
});

passport.deserializeUser(function (user, done) {
 done(null, user);
});

module.exports = passport;

使用indexRoutes.js

router.get('/login', function (req, res, next) {

 var fields = req.flash('field');
 var messages = req.flash('message');

 res.render('login', {field: fields[0], message: messages[0]});
});

router.post('/login', passport.authenticate('local', {
 failureRedirect: '/login',
 failureFlash: true /* <=== 这里改成false也不影响. */
}), function (req, res) {
 var user = req.user;

 console.log(user + ' logged in.');

 req.session.user = user;
 res.cookie('token', someToken);
 res.redirect(user === 'admin' ? '/admin' : '/xxxx');

});

页面 login.ejs

function login() {
 var rules = {
 username: {
 identifier: "username",
 rules: [{type: 'empty'}]
 },
 password: {
 identifier: "password",
 rules: [{type: 'empty'}]
 },
 };

 var form = $('.login-form').form({fields: rules});
 form.form("validate form");
 var isValid = form.form('is valid');
 if (isValid) {
 createCookie('username', $('#username').val());
 createCookie('remember', $('.ui.checkbox').checkbox('is checked'));

 $(this).prop("disabled", true).toggleClass("loading", true);
 form.form('submit');
 }
}

$(document).ready(function () {
 // remember me
 var remember = getCookie('remember');
 if (remember === 'false') {
 $('#username').val('');
 $('.ui.checkbox').checkbox('uncheck');

 } else {
 $('#username').val(getCookie('username'));
 $('.ui.checkbox').checkbox('check');
 }

 // display error message if exist
 var field = '<%= field %>';
 var message = '<%= message %>';
 if (field) {
 $('#username').val(getCookie('username'));

 var form = $('.login-form').form({inline: true});
 form.form('add prompt', field, message);
 }

 // handle text input key up event
 $('#username').keyup(function (event) {
 if (event.keyCode === 13) {
 $('#password').focus();
 }
 });

 $('#password').keyup(function (event) {
 if (event.keyCode === 13) {
 login();
 }
 });

 $('#btnSubmit').click(login);

});

登出 xxxRoutes.js

router.get('/logout', function (req, res, next) {
 // see https://stackoverflow.com/questions/33332614/either-req-logout-or-req-session-destroy-does-not-work
 // see https://github.com/jaredhanson/passport/issues/246

 req.session.destroy(function () {
 req.logout();

 console.log("user session destroyed.");
 console.log(req.isAuthenticated());

 res.redirect('/login');
 });
});

为什么要调用logout, 解释如下

req.isAuthenticated() is part of passport. Relevant code:

req.isAuthenticated = function() {
 var property = 'user';
 if (this._passport && this._passport.instance._userProperty) {
 property = this._passport.instance._userProperty;
 }

 return (this[property]) ? true : false;
};

Checks for the property and returns a boolean.

req.logout() removes the property so it returns false in future requests.

Meanwhile, session.destroy comes from expressjs/session middleware, so it's not passport related. Maybe you are creating the session again in the index page. The question needs more info.

[uniquejava]

passport.js关键方法的调用时机

通过以下日志可以看到, 每一次request请求, 都会首先调用passport.deserializeUser(..), passport从用户请求的cookie 中得到sessionid进而得到保存在session中的user对象, 然后调用deserializeUser(得到完整的user对象).
然后将user放到req.user中, 接下来进入到mustlogin middleware, 由这个middleware决定下一步怎么走

而LocalStrategy的回调和serializeUser只会在POST /login时调用一次.

[2017-09-28 01:05:58.782 INFO] GET /login
[2017-09-28 01:06:02.934 INFO] passport.use(new LocalStrategy(...))
[2017-09-28 01:06:02.937 INFO] get one connection
[2017-09-28 01:06:02.937 DEBUG] select * from XXXX where username=? order by user_id desc
[2017-09-28 01:06:02.937 DEBUG] [ 'admin' ]
[2017-09-28 01:06:03.547 INFO] connection released to pool.
[2017-09-28 01:06:03.552 INFO] serializeUser(...){"user_id":1,"username":"admin","org_id":1}
[2017-09-28 01:06:03.553 INFO]{"user_id":1,"username":"admin","org_id":1} logged in.
[2017-09-28 01:06:03.763 INFO] POST /login
[2017-09-28 01:06:03.768 INFO] deserializeUser(...){"user_id":1,"username":"admin","org_id":1}
[2017-09-28 01:06:03.769 INFO] mustlogin - route middleware: req.isAuthenticated()?
[2017-09-28 01:06:03.993 INFO] GET /admin
[2017-09-28 01:06:06.082 INFO] deserializeUser(...){"user_id":1,"username":"admin","org_id":1}
[2017-09-28 01:06:06.083 INFO] mustlogin - route middleware: req.isAuthenticated()?
[2017-09-28 01:06:06.758 INFO] GET /admin/answers/index
[2017-09-28 01:06:07.336 INFO] deserializeUser(...){"user_id":1,"username":"admin","org_id":1}
[2017-09-28 01:06:07.336 INFO] mustlogin - route middleware: req.isAuthenticated()?
[2017-09-28 01:06:07.337 INFO] get one connection
[2017-09-28 01:06:07.338 DEBUG] select ID,substring(text, 0, 35) || '...' as title from XXXX
[2017-09-28 01:06:07.338 DEBUG] []
[2017-09-28 01:06:07.949 INFO] connection released to pool.
[2017-09-28 01:06:08.207 INFO] GET /admin/answers