I'm using passport-local strategy for a simple API which needs authetication. I use a middleware before all my routes, that handles access to the application
var verifyAuth = function(req, res, next) {
if (req.originalUrl === '/signup' || req.originalUrl === '/login') {
return next();
}
if (req.isAuthenticated()) {
return next();
}
if (req.accepts('text/html')) {
return res.redirect('/login');
}
if (req.accepts('application/json')) {
res.set('WWW-Authenticate', '???');
return res.status(401).send({err: 'User should be logged'});
}
};
app.use(verifyAuth);
- If user will subscribe or login, I allow access to those routes
- If user is logged, I allow access
- If user is not logged and he is in a browser (for example), I redirect to /login
- If user is not logged and he is in some other device with Accept Header = 'application/json', application returns a 401
I'd read that using 401, it could be interesting to send a WWW-Authenticate header with the response. They propose to use Basic Auth or OAuth as values. Which valude should I use for a Local-Strategy? I think that it would be also interesting to send a Location with the url for login?
