Protecting an API with Scopes (oauth2orize, passport, express, Nodejs)

Question

I'm trying to create an API with node/express, and secure it with Passport and oauth2orize. I've got the API working, I've got the oauth2 stuff working, but I can't seem to figure out how to implement securing API methods with scopes.

The oauth2orize token hander-outer:

server.exchange(oauth2orize.exchange.password(function (client, username, password, scope, done) {
scope = scope || ['unauthorized'];
db.collection('oauth_users').findOne({username: username}, function (err, user) {
    if (err) return done(err);
    if (!user) return done(null, false);
    for (i in scope)
        if(user.scope.indexOf(scope[i]) < 0) return done(null, false);
    bcrypt.compare(password, user.password, function (err, res) {
        if (!res) return done(null, false);

        var token = utils.uid(256)
        var refreshToken = utils.uid(256)
        var tokenHash = crypto.createHash('sha1').update(token).digest('hex')
        var refreshTokenHash = crypto.createHash('sha1').update(refreshToken).digest('hex')

        var expirationDate = new Date(new Date().getTime() + (3600 * 1000))

        db.collection('oauth_access_tokens').save({token: tokenHash, expirationDate: expirationDate, clientId: client.clientId, userId: username, scope: scope}, function (err) {
            if (err) return done(err)
            db.collection('oauth_refresh_tokens').save({refreshToken: refreshTokenHash, clientId: client.clientId, userId: username}, function (err) {
                if (err) return done(err)
                done(null, token, refreshToken, {expires_in: expirationDate})
            })
        })
    })
}) }))

The passport bearer token checker:

passport.use("accessToken", new BearerStrategy(
{passReqToCallback: true},
function (req, accessToken, done) {
    console.dir(req.params);
    var accessTokenHash = crypto.createHash('sha1').update(accessToken).digest('hex')
    db.collection('oauth_access_tokens').findOne({token: accessTokenHash}, function (err, token) {
        if (err) return done(err);
        if (!token) return done(null, false);
        if (new Date() > token.expirationDate) {
            db.collection('oauth_access_tokens').remove({token: accessTokenHash}, function (err) { done(err) });
        } else {
            db.collection('oauth_users').findOne({username: token.userId}, function (err, user) {
                if (err) return done(err);
                if (!user) return done(null, false);
                // no use of scopes for no
                var info = { scope: '*' }
                done(null, user, info);
            })
        }
    })
}))

The API security:

router.get('/restricted', passport.authenticate('accessToken', { scope: "unauthorized", session: false }), function (req, res) {
res.send("Restricted Function");})

I can find no example of accessing the "scope" option passed in passport.authenticate to passport.use. I was thinking it was in the req object, but I can't find it in there. Any help?

Hey how did you end up using scope in this stack? I have the same problem but can't figure out how to utilize scopes. — Morteza Shahriari Nia, Jun 16 '15 at 18:42

score 1 · Answer 1 · answered Jul 26 '15 at 19:45

1

A bit late. But thought this might help. The info object that you pass as the third parameter can be used from the middleware as req.authInfo. If you have scope attached with the user object or if you have declared it at passport.authenticate initialize level, you can pass it through this parameter and make use of in the middleware. Please have a look at this link Usage of scopes

answered Jul 26 '15 at 19:45

nivasan89

144
1
13

You made my day! Thank you! – anhldbk May 12 '16 at 02:45

Protecting an API with Scopes (oauth2orize, passport, express, Nodejs)

1 Answers1