15

How to handle multiple auth strategies on a sails.js SPA ?

I'm building a single page app built on Angular for the front-end and sailsjs for the backend. Right now I'm using sails-auth (which uses passportjs internally) to bind my authentication logic to my user model.

I have multiple passport providers installed and available on my frontend, such as passport-github and passport-facebook, but also a classic passport-local so that the user can also signup and login with just his username & password.

I would like my clients (The single page app, and maybe others in the future) to use a token after the auth instead of cookies/sessions so that it's easier to scale and cross-domain requests will also be easier. It will also make mobile integration much easier.

I know I have to use callbacks for OAuth providers, here is the flow that I'm aiming for :

enter image description here

I know that I can replace my sail-auth's sessionAuth policy by a tokenAuth policy that can read the token from the headers and query a Tokens model for example, but then my questions are :

  • When using username/password for login, the request can be made with a simple AJAX call so it is easy to pass the token back to the SPA. When using providers like github, etc., when the callback is called, should I just embed the token dynamically into the HTML that I'm serving?
  • sail-auth's policies/passport.js shows that by default it relies on built-in sessions to persist login/to serialize&deserialize the userID. How do I decouple it from sails built-in sessions so that it generates a token for the user and serve back my index with the token embedded?

Thank you in advance!

Tristan Foureur
  • 1,647
  • 10
  • 23
  • 2
    [Waterlock](http://waterlock.ninja/) plugins seems to handle both **OAUTH providers auth** and **jwt**, but seems I'm digging with it I'm just not able to get what is the flow (the doc lacking valuable information), and even if it's able to work with decoupled SPA (not served by sails itself). I so damn need the answer to your question. – Cyril CHAPON May 07 '15 at 08:22
  • Hi, did you find an answer to this yet ? – Saurabh Gour Jun 11 '18 at 16:57

2 Answers2

1

On the auth route, you could go for passport.js based authentication in the backend (without session), use the token for tokenAuth and forward the token to the user.

Then for secure routes, you could place verifyToken call in your policy (intercept each route).

Disclaimer: I haven't tried this myself.

r0hitsharma
  • 1,592
  • 12
  • 16
0

Ive been using these steps for a while now.

Step 1 ( Globals ): $ npm install -g sails

Step 2 ( App ): $ sails new myApp

Step 3 ( Files ): Copy every file in https://github.com/carlospliego/sails-token-auth-setup to its corresponding folder

Step 3A To have another authentication strategy just add another file in the app/policies/ directory

Here is an example of what that might look like

 module.exports = function hasValidProductApiToken(req, res, next) {
      if(someCondition){
         next(); // Call next to continue
      }

 };

Step 4 ( Policies ): Add this code to your config/policies.js

 '*': "hasToken",
 UserController: {
    "create": true
 },
 AuthController: {
    '*': true
 }

Step 5: change the value of config/tokenSecret.js

Step 6: ( Dependencies )

  • npm install --save passport
  • npm install --save passport-local
  • npm install --save bcrypt-nodejs
  • npm install --save jsonwebtoken
  • npm install --save express-jwt

Your endpoints will look like this:

  • POST/GET/PUT/DELETE user/
  • POST auth/login
  • DELETE auth/logout

Here is a great guide on how to create token based authentication in sails: https://github.com/carlospliego/sails-token-auth-setup

Carlos Pliego
  • 859
  • 1
  • 8
  • 19