Node.js use Passport with Bearer Strategy

        I'm going to demonstrate how to use Bearer Strategy and jsonwebtoken in this post. The workflow is shown as below picture. The client need to login first and get the token from the server. Then the client request another API service while embedded the token in the http request header. The server verify the token and respond the result to the client. The jsonwebtoken can encode a little information into the token, like user id and username (those isn't sensitive data). The jsonwebtoken can decode back the information on server side. We do not use Session to store in this example because the token also acts as authentication check.

        Starting with the code using passport with LocalStrategy and custom callback(v1.2), we first install the Bearer Strategy and token generator module.
                npm install passport-http-bearer
                npm install jsonwebtoken

        Secondly, we import the modules and setup simply for test. I just set the expired time as 1 day and hard code the secret key used for jsonwebtoken generation. In real case, we need more configuration and keep the secret key confidential.

import jwt from "jsonwebtoken";
import BearerStrategy from "passport-http-bearer";
 
const jwtOption = {
expiresIn: 86400, // = 24 * 60 * 60 seconds
};

const jwtSecretKey = "You should keep secret key in confidential";
 

        Thirdly, we register the BearerStrategy vertification to passport module.

passport.use(
"bearer",
new BearerStrategy((token, cb) => {
jwt.verify(token, jwtSecretKey, function(err, decode){
if(err)
return cb("error in token auth: " + err.message);

return cb(null, decode, "decode result");
});
})
);

        We will generate the token only when the user logins successfully. We call jwt.sign() to generate the token and send back to client.

app.post(
"/login", function(req, res, next){
passport.authenticate(
"local",
{ session:false },
function(err, user, info, status){
if(err){
return res.send(err);
}
if(!user){
return res.send(info);
}
jwt.sign(user, jwtSecretKey, jwtOption, function(err, token){
if(err)
return res.send(err);

return res.send("Bearer " + token);
});
}
)(req, res, next);
}
);

        We can test with Postman (POST /login) and receive the token from server response.

Postman received the token from the server

         Then we create 2 new route GET /user1 and GET /user2 to test the Bearer Strategy default callback manner and our custom callback. The default manner will put the decoded data to req.user, similar to load user information to req.user from Session with Local Strategy.

app.get("/user1", passport.authenticate("bearer", {session:false}),
function (req, res){
res.send(req.user);
}
);

app.get("/user2", function(req, res, next){
passport.authenticate("bearer", function(error, decodedData, info){
if(error)
return res.send(error);

if(!decodedData)
return res.send("no decoded Data");

return res.send(decodedData);
})(req, res, next);
});

Default Manner         

        Now we test these 2 routes with Postman. First we login to get the token. Then we click the Authorization tab below the path in Postman. Select Bearer Token type and paste the token we got on the right. 

Postman setting
        We test the default manner first. (GET /user1) and get an object back from the server. It contains name and id property, which we had passed to jwt.sign() function (1st parameter).
received object from the server

        If we changed the last 2 characters of the token and visit the path again, the server return a html file with message invalid signature.

received html file for incorrect token
        If we don't include the token (either leave the blank token column or choose the type no Auth), the server return message "Unauthorized".

received message when visit the path without token

 Custom callback

         Now we test the customer callback (GET /user2). If we leave the blank token column or set the Type as no Auth, the server returns the message that we set when decodedData is false.

Custom callback when no token provided
         If we type in wrong token, the server returns a string of message indicating the error occurred during the jwt decryption.
Postman received a string indicating invalid token
        If we pass the correct token, the server returns the user name and id to us as the default manner did.

Server return user name and id for correct token

         We add 1 line console.log(req.user) on the server side. The terminal show "undefined". That means we have to mount the user information(decoded data) to req.user by ourself if we want the custom callback behave as the default manner.

terminal message on the server

 The source code(v3.1) of this post is stored in github, 

We can find more detail on the bearer strategy and jsonwebtoken website.

 Note:

        There are some potential security issues if we use Bearer token only. For example, if someone steal our token and request the api service, the server cannot cancel the validity of the token until the expiration date. We need extra tools/technique to help to tackle those security issues. This will be another topic.

Comments

Post a Comment

Popular posts from this blog

Use okhttp to download file and show progress bar

Image
  Okhttp also can be used to download files from the internet to the app-specific storage . In this post, download progress is shown by the progress bar. The outcome can be viewed in this link . First, Internet permission is required in the manifest file <uses-permission android :name = "android.permission.INTERNET" /> Then we add the dependency of Okhttp in the module’s build.gradle file. The download process is done in coroutines so kotlinx-coroutines dependency also is required implementation 'com.squareup.okhttp3:okhttp:4.9.3' implementation 'org.jetbrains.kotlinx:kotlinx-coroutines-android:1.7.3' The developer of okhttp library has provided the example for download and get the progress in https://github.com/square/okhttp/blob/master/samples/guide/src/main/java/okhttp3/recipes/Progress.java After studying the code, I implemented it in Kotlin and modified it a bit. A class is created to handle the download. The constructor has CoroutineScope and Prog...
Read more

Download File into app specific storage with Retrofit

Image
  In the previous post , DownloadManager is used to download files into the device’s public directory. If the file contains sensitive data, we hope the file can be saved into the app-specific storage rather than public directory. Therefore, we need another method to download. Retrofit is a type-safe  HTTP client which help us transfer information and data over a network. Dependency Add below dependency into module build.gradle file. implementation( "com.squareup.retrofit2:retrofit:2.9.0" ) implementation( "com.squareup.retrofit2:converter-gson:2.9.0" ) We add codes on the same module of DownloadManager. A button is added next to the DownLoadManager Button. When it is clicked, it will start to download the file using Retrofit. Implementation We first create a interface so that Retrofit can translate the java/Kotlin function to HTTP API.  The notation @Streaming is used for downloading large file so that it would not write too large data into memory at once. The do...
Read more

Unzipp file with Zip4j library

Image
  Java library has a built-in class java.util.zip.ZipFile and java.util.zip.ZipInputSteam. However, those class only can unzip files without a password.  For those zip files with password protected, we use 3rd party library Zip4j I have created a password protected zip file for testing. Structure like this. The name with ‘/’ is a directory. All files are photo in jpg format. Photo2/ 20190314_103435_HDR.jpg 20190314_112925_HDR.jpg 20190314_103702_HDR.jpg primary/ 20190316_121528_HDR.jpg secondary1/ 20190422_155924_HDR.jpg seconday2/ 20190314_103252_HDR.jpg  Test zip file download link: https://drive.google.com/uc?export=download&id=1XDMUGuvOPkTR2TH_Ikb5-2SIR7nXQ6yk Unzip password: aB3d Add dependency in the module gradle. implementation 'net.lingala.zip4j:zip4j:2.11.5' I have created a new module for this practice and copied the code used in the previous practice download file with Okhttp . Three ...
Read more