1

I'm using a MEAN Stack based on a Yeoman generator and I'm trying to password protect my api endpoints.

I want to be able to use local and basic strategies on the same endpoint so I can call the API from external sources and use it in my webapp.

However when I implemented this, I can use only one strategy a time because the basic authentication is "stateless" which means that doesn't attach a session.

So far I got 2 different endpoints with 2 different strategies with this code:

router.get('/all-basic', passport.authenticate(['local','basic'],{ session: false }), controller.index);

router.get('/all-local', auth.isAuthenticated(), controller.index);

I want to know if there any other approach or best practices to try to use 2 strategies on the same endpoint, or I just need to call 2 different endpoints.

Thanks! Andres Osorio

Andres Osorio
  • 23
  • 4
  • What happens if you remove the `{ session: false }`? – Nathan Friedly Dec 03 '14 at 16:04
  • Still doesn't work, I removed the session flag, if I try from curl or postman it works, but if I try from my browser (I login to the system and the call the url from the browser, I got this message "UnauthorizedError: No Authorization header was found". It's like the system try to force me to use basic auth even if I login with local strategy. – Andres Osorio Dec 05 '14 at 13:11

1 Answers1

0

After several attempts, I figured it out a solution.

I used the second endpoint:

router.get('/all-local', auth.isAuthenticated(), controller.index);

I used postman to make two requests:

One for the login attempt, (if you are using the Yeoman based MEAN Stack), the endpoint to call is:

/auth/local

Please note you should do a POST call with x-www-form-urlencoded and two key-value attributes (email and password). The endpoint will return a token that you need to store in order to make the subsequent calls.

The next step is to call the endpoint itself, I made a GET request to /all-local and I added a header called Authorization with the value Bearer [token], replace [token] with the token value from the first call.

Hope it helps.

Andres Osorio
  • 23
  • 4
  • hi i am also facing same problem i need your help to resolve this because i didn't get your last point please guide me – gowthaman Mar 20 '15 at 08:52
  • You should use the code snippet in your express route file, and to verify you will need POSTMAN which is a REST client, and make 2 calls from there. The first one to get a token like ``` { "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJfaWQiOiI1NDcwZGY3MjIxOGY5MGUwMDhmYWY5MmUiLCJpYXQiOjE0MjY5NTA0ODU4NjUsImV4cCI6MTQyNjk2ODQ4NTg2NX0.GyYXeNJlIBjPmiFXdc_Aaxnm8Zxv1nm1VbX3FX6TVGI"``` } , ``` with this token make a the second call from POSTMAN as a GET with header Authorization and value Bearer eyJ0eXAiOiJKV1QiLC.... – Andres Osorio Mar 21 '15 at 15:13