6

I would like to reproduce how plunker manages the anonymous accounts.

Plunker can recognise an anonymous user. For example, we can save a plunker as anonym and then freeze it. As a result,

  1. only the same user (before clearing browser history) has the full access to this plunker (eg, save a modification, unfreeze).

  2. if the same user opens it in another browser or other users open the same link, they can NOT save any modification; they have to fork it.

In my website, I use the local strategy of passport.js to manage named users. For example,

router.post('/login', function (req, res, next) {
    if (!req.body.username || !req.body.password)
        return res.status(400).json({ message: 'Please fill out all fields' });

    passport.authenticate('local', function (err, user, info) {
        if (err) return next(err);
        if (user) res.json({ token: user.generateJWT() });
        else return res.status(401).json(info);
    })(req, res, next);
});

And I use a localStorage to store the token. For example,

auth.logIn = function (user) {
    return $http.post('/login', user).success(function (token) {
        $window.localStorage['account-token'] = token;
    })
};

auth.logOut = function () {
    $window.localStorage.removeItem('account-token');
};

Does anyone know if passport.js has any strategy or existing tools to manage the anonymous account like what plunker does? Otherwise, is there a conventional way to achieve this?

SoftTimur
  • 5,630
  • 38
  • 140
  • 292
  • I find project github for strategy anonymous user for passport so can help : https://github.com/jaredhanson/passport-anonymous – Snoozer Apr 26 '17 at 15:13

2 Answers2

4

Passport allows anonymous auth. There is a passport anonymous strategy for the same:

app.get('/',
  // Authenticate using HTTP Basic credentials, with session support disabled,
  // and allow anonymous requests.
  passport.authenticate(['basic', 'anonymous'], { session: false }),
  function(req, res){
    if (req.user) {
      res.json({ username: req.user.username, email: req.user.email });
    } else {
      res.json({ anonymous: true });
    }
  });

This uses your basic strategy in place, you can substitute that with a local strategy if you're using local authentication. It falls back to an anonymous strategy in case nothing is supplied, as can be seen here:

passport.use(new BasicStrategy({
  },
  function(username, password, done) {
    // asynchronous verification, for effect...
    process.nextTick(function () {

      // Find the user by username.  If there is no user with the given
      // username, or the password is not correct, set the user to `false` to
      // indicate failure.  Otherwise, return the authenticated `user`.
      findByUsername(username, function(err, user) {
        if (err) { return done(err); }
        if (!user) { return done(null, false); }
        if (user.password != password) { return done(null, false); }
        return done(null, user);
      })
    });
  }
));

// Use the BasicStrategy within Passport.
//   This is used as a fallback in requests that prefer authentication, but
//   support unauthenticated clients.
passport.use(new AnonymousStrategy());

The full example may be found here:- https://github.com/jaredhanson/passport-anonymous/blob/master/examples/basic/app.js

bitanath
  • 375
  • 2
  • 4
0

Remember cookies with a longer expiration date is how anonymous user is identified. This goes the same way as any server side technology trying to authenticate user by username and password and then just sets a cookie for the http request.

UndoNone
  • 21
  • 4