469 lines
13 KiB
JavaScript
469 lines
13 KiB
JavaScript
/**
|
|
* Module dependencies.
|
|
*/
|
|
var SessionStrategy = require('./strategies/session')
|
|
, SessionManager = require('./sessionmanager');
|
|
|
|
|
|
/**
|
|
* `Authenticator` constructor.
|
|
*
|
|
* @api public
|
|
*/
|
|
function Authenticator() {
|
|
this._key = 'passport';
|
|
this._strategies = {};
|
|
this._serializers = [];
|
|
this._deserializers = [];
|
|
this._infoTransformers = [];
|
|
this._framework = null;
|
|
|
|
this.init();
|
|
}
|
|
|
|
/**
|
|
* Initialize authenticator.
|
|
*
|
|
* @api protected
|
|
*/
|
|
Authenticator.prototype.init = function() {
|
|
this.framework(require('./framework/connect')());
|
|
this.use(new SessionStrategy({ key: this._key }, this.deserializeUser.bind(this)));
|
|
this._sm = new SessionManager({ key: this._key }, this.serializeUser.bind(this));
|
|
};
|
|
|
|
/**
|
|
* Utilize the given `strategy` with optional `name`, overridding the strategy's
|
|
* default name.
|
|
*
|
|
* Examples:
|
|
*
|
|
* passport.use(new TwitterStrategy(...));
|
|
*
|
|
* passport.use('api', new http.BasicStrategy(...));
|
|
*
|
|
* @param {String|Strategy} name
|
|
* @param {Strategy} strategy
|
|
* @return {Authenticator} for chaining
|
|
* @api public
|
|
*/
|
|
Authenticator.prototype.use = function(name, strategy) {
|
|
if (!strategy) {
|
|
strategy = name;
|
|
name = strategy.name;
|
|
}
|
|
if (!name) { throw new Error('Authentication strategies must have a name'); }
|
|
|
|
this._strategies[name] = strategy;
|
|
return this;
|
|
};
|
|
|
|
/**
|
|
* Un-utilize the `strategy` with given `name`.
|
|
*
|
|
* In typical applications, the necessary authentication strategies are static,
|
|
* configured once and always available. As such, there is often no need to
|
|
* invoke this function.
|
|
*
|
|
* However, in certain situations, applications may need dynamically configure
|
|
* and de-configure authentication strategies. The `use()`/`unuse()`
|
|
* combination satisfies these scenarios.
|
|
*
|
|
* Examples:
|
|
*
|
|
* passport.unuse('legacy-api');
|
|
*
|
|
* @param {String} name
|
|
* @return {Authenticator} for chaining
|
|
* @api public
|
|
*/
|
|
Authenticator.prototype.unuse = function(name) {
|
|
delete this._strategies[name];
|
|
return this;
|
|
};
|
|
|
|
/**
|
|
* Setup Passport to be used under framework.
|
|
*
|
|
* By default, Passport exposes middleware that operate using Connect-style
|
|
* middleware using a `fn(req, res, next)` signature. Other popular frameworks
|
|
* have different expectations, and this function allows Passport to be adapted
|
|
* to operate within such environments.
|
|
*
|
|
* If you are using a Connect-compatible framework, including Express, there is
|
|
* no need to invoke this function.
|
|
*
|
|
* Examples:
|
|
*
|
|
* passport.framework(require('hapi-passport')());
|
|
*
|
|
* @param {Object} name
|
|
* @return {Authenticator} for chaining
|
|
* @api public
|
|
*/
|
|
Authenticator.prototype.framework = function(fw) {
|
|
this._framework = fw;
|
|
return this;
|
|
};
|
|
|
|
/**
|
|
* Passport's primary initialization middleware.
|
|
*
|
|
* This middleware must be in use by the Connect/Express application for
|
|
* Passport to operate.
|
|
*
|
|
* Options:
|
|
* - `userProperty` Property to set on `req` upon login, defaults to _user_
|
|
*
|
|
* Examples:
|
|
*
|
|
* app.use(passport.initialize());
|
|
*
|
|
* app.use(passport.initialize({ userProperty: 'currentUser' }));
|
|
*
|
|
* @param {Object} options
|
|
* @return {Function} middleware
|
|
* @api public
|
|
*/
|
|
Authenticator.prototype.initialize = function(options) {
|
|
options = options || {};
|
|
return this._framework.initialize(this, options);
|
|
};
|
|
|
|
/**
|
|
* Middleware that will authenticate a request using the given `strategy` name,
|
|
* with optional `options` and `callback`.
|
|
*
|
|
* Examples:
|
|
*
|
|
* passport.authenticate('local', { successRedirect: '/', failureRedirect: '/login' })(req, res);
|
|
*
|
|
* passport.authenticate('local', function(err, user) {
|
|
* if (!user) { return res.redirect('/login'); }
|
|
* res.end('Authenticated!');
|
|
* })(req, res);
|
|
*
|
|
* passport.authenticate('basic', { session: false })(req, res);
|
|
*
|
|
* app.get('/auth/twitter', passport.authenticate('twitter'), function(req, res) {
|
|
* // request will be redirected to Twitter
|
|
* });
|
|
* app.get('/auth/twitter/callback', passport.authenticate('twitter'), function(req, res) {
|
|
* res.json(req.user);
|
|
* });
|
|
*
|
|
* @param {String} strategy
|
|
* @param {Object} options
|
|
* @param {Function} callback
|
|
* @return {Function} middleware
|
|
* @api public
|
|
*/
|
|
Authenticator.prototype.authenticate = function(strategy, options, callback) {
|
|
return this._framework.authenticate(this, strategy, options, callback);
|
|
};
|
|
|
|
/**
|
|
* Middleware that will authorize a third-party account using the given
|
|
* `strategy` name, with optional `options`.
|
|
*
|
|
* If authorization is successful, the result provided by the strategy's verify
|
|
* callback will be assigned to `req.account`. The existing login session and
|
|
* `req.user` will be unaffected.
|
|
*
|
|
* This function is particularly useful when connecting third-party accounts
|
|
* to the local account of a user that is currently authenticated.
|
|
*
|
|
* Examples:
|
|
*
|
|
* passport.authorize('twitter-authz', { failureRedirect: '/account' });
|
|
*
|
|
* @param {String} strategy
|
|
* @param {Object} options
|
|
* @return {Function} middleware
|
|
* @api public
|
|
*/
|
|
Authenticator.prototype.authorize = function(strategy, options, callback) {
|
|
options = options || {};
|
|
options.assignProperty = 'account';
|
|
|
|
var fn = this._framework.authorize || this._framework.authenticate;
|
|
return fn(this, strategy, options, callback);
|
|
};
|
|
|
|
/**
|
|
* Middleware that will restore login state from a session.
|
|
*
|
|
* Web applications typically use sessions to maintain login state between
|
|
* requests. For example, a user will authenticate by entering credentials into
|
|
* a form which is submitted to the server. If the credentials are valid, a
|
|
* login session is established by setting a cookie containing a session
|
|
* identifier in the user's web browser. The web browser will send this cookie
|
|
* in subsequent requests to the server, allowing a session to be maintained.
|
|
*
|
|
* If sessions are being utilized, and a login session has been established,
|
|
* this middleware will populate `req.user` with the current user.
|
|
*
|
|
* Note that sessions are not strictly required for Passport to operate.
|
|
* However, as a general rule, most web applications will make use of sessions.
|
|
* An exception to this rule would be an API server, which expects each HTTP
|
|
* request to provide credentials in an Authorization header.
|
|
*
|
|
* Examples:
|
|
*
|
|
* app.use(connect.cookieParser());
|
|
* app.use(connect.session({ secret: 'keyboard cat' }));
|
|
* app.use(passport.initialize());
|
|
* app.use(passport.session());
|
|
*
|
|
* Options:
|
|
* - `pauseStream` Pause the request stream before deserializing the user
|
|
* object from the session. Defaults to _false_. Should
|
|
* be set to true in cases where middleware consuming the
|
|
* request body is configured after passport and the
|
|
* deserializeUser method is asynchronous.
|
|
*
|
|
* @param {Object} options
|
|
* @return {Function} middleware
|
|
* @api public
|
|
*/
|
|
Authenticator.prototype.session = function(options) {
|
|
return this.authenticate('session', options);
|
|
};
|
|
|
|
// TODO: Make session manager pluggable
|
|
/*
|
|
Authenticator.prototype.sessionManager = function(mgr) {
|
|
this._sm = mgr;
|
|
return this;
|
|
}
|
|
*/
|
|
|
|
/**
|
|
* Registers a function used to serialize user objects into the session.
|
|
*
|
|
* Examples:
|
|
*
|
|
* passport.serializeUser(function(user, done) {
|
|
* done(null, user.id);
|
|
* });
|
|
*
|
|
* @api public
|
|
*/
|
|
Authenticator.prototype.serializeUser = function(fn, req, done) {
|
|
if (typeof fn === 'function') {
|
|
return this._serializers.push(fn);
|
|
}
|
|
|
|
// private implementation that traverses the chain of serializers, attempting
|
|
// to serialize a user
|
|
var user = fn;
|
|
|
|
// For backwards compatibility
|
|
if (typeof req === 'function') {
|
|
done = req;
|
|
req = undefined;
|
|
}
|
|
|
|
var stack = this._serializers;
|
|
(function pass(i, err, obj) {
|
|
// serializers use 'pass' as an error to skip processing
|
|
if ('pass' === err) {
|
|
err = undefined;
|
|
}
|
|
// an error or serialized object was obtained, done
|
|
if (err || obj || obj === 0) { return done(err, obj); }
|
|
|
|
var layer = stack[i];
|
|
if (!layer) {
|
|
return done(new Error('Failed to serialize user into session'));
|
|
}
|
|
|
|
|
|
function serialized(e, o) {
|
|
pass(i + 1, e, o);
|
|
}
|
|
|
|
try {
|
|
var arity = layer.length;
|
|
if (arity == 3) {
|
|
layer(req, user, serialized);
|
|
} else {
|
|
layer(user, serialized);
|
|
}
|
|
} catch(e) {
|
|
return done(e);
|
|
}
|
|
})(0);
|
|
};
|
|
|
|
/**
|
|
* Registers a function used to deserialize user objects out of the session.
|
|
*
|
|
* Examples:
|
|
*
|
|
* passport.deserializeUser(function(id, done) {
|
|
* User.findById(id, function (err, user) {
|
|
* done(err, user);
|
|
* });
|
|
* });
|
|
*
|
|
* @api public
|
|
*/
|
|
Authenticator.prototype.deserializeUser = function(fn, req, done) {
|
|
if (typeof fn === 'function') {
|
|
return this._deserializers.push(fn);
|
|
}
|
|
|
|
// private implementation that traverses the chain of deserializers,
|
|
// attempting to deserialize a user
|
|
var obj = fn;
|
|
|
|
// For backwards compatibility
|
|
if (typeof req === 'function') {
|
|
done = req;
|
|
req = undefined;
|
|
}
|
|
|
|
var stack = this._deserializers;
|
|
(function pass(i, err, user) {
|
|
// deserializers use 'pass' as an error to skip processing
|
|
if ('pass' === err) {
|
|
err = undefined;
|
|
}
|
|
// an error or deserialized user was obtained, done
|
|
if (err || user) { return done(err, user); }
|
|
// a valid user existed when establishing the session, but that user has
|
|
// since been removed
|
|
if (user === null || user === false) { return done(null, false); }
|
|
|
|
var layer = stack[i];
|
|
if (!layer) {
|
|
return done(new Error('Failed to deserialize user out of session'));
|
|
}
|
|
|
|
|
|
function deserialized(e, u) {
|
|
pass(i + 1, e, u);
|
|
}
|
|
|
|
try {
|
|
var arity = layer.length;
|
|
if (arity == 3) {
|
|
layer(req, obj, deserialized);
|
|
} else {
|
|
layer(obj, deserialized);
|
|
}
|
|
} catch(e) {
|
|
return done(e);
|
|
}
|
|
})(0);
|
|
};
|
|
|
|
/**
|
|
* Registers a function used to transform auth info.
|
|
*
|
|
* In some circumstances authorization details are contained in authentication
|
|
* credentials or loaded as part of verification.
|
|
*
|
|
* For example, when using bearer tokens for API authentication, the tokens may
|
|
* encode (either directly or indirectly in a database), details such as scope
|
|
* of access or the client to which the token was issued.
|
|
*
|
|
* Such authorization details should be enforced separately from authentication.
|
|
* Because Passport deals only with the latter, this is the responsiblity of
|
|
* middleware or routes further along the chain. However, it is not optimal to
|
|
* decode the same data or execute the same database query later. To avoid
|
|
* this, Passport accepts optional `info` along with the authenticated `user`
|
|
* in a strategy's `success()` action. This info is set at `req.authInfo`,
|
|
* where said later middlware or routes can access it.
|
|
*
|
|
* Optionally, applications can register transforms to proccess this info,
|
|
* which take effect prior to `req.authInfo` being set. This is useful, for
|
|
* example, when the info contains a client ID. The transform can load the
|
|
* client from the database and include the instance in the transformed info,
|
|
* allowing the full set of client properties to be convieniently accessed.
|
|
*
|
|
* If no transforms are registered, `info` supplied by the strategy will be left
|
|
* unmodified.
|
|
*
|
|
* Examples:
|
|
*
|
|
* passport.transformAuthInfo(function(info, done) {
|
|
* Client.findById(info.clientID, function (err, client) {
|
|
* info.client = client;
|
|
* done(err, info);
|
|
* });
|
|
* });
|
|
*
|
|
* @api public
|
|
*/
|
|
Authenticator.prototype.transformAuthInfo = function(fn, req, done) {
|
|
if (typeof fn === 'function') {
|
|
return this._infoTransformers.push(fn);
|
|
}
|
|
|
|
// private implementation that traverses the chain of transformers,
|
|
// attempting to transform auth info
|
|
var info = fn;
|
|
|
|
// For backwards compatibility
|
|
if (typeof req === 'function') {
|
|
done = req;
|
|
req = undefined;
|
|
}
|
|
|
|
var stack = this._infoTransformers;
|
|
(function pass(i, err, tinfo) {
|
|
// transformers use 'pass' as an error to skip processing
|
|
if ('pass' === err) {
|
|
err = undefined;
|
|
}
|
|
// an error or transformed info was obtained, done
|
|
if (err || tinfo) { return done(err, tinfo); }
|
|
|
|
var layer = stack[i];
|
|
if (!layer) {
|
|
// if no transformers are registered (or they all pass), the default
|
|
// behavior is to use the un-transformed info as-is
|
|
return done(null, info);
|
|
}
|
|
|
|
|
|
function transformed(e, t) {
|
|
pass(i + 1, e, t);
|
|
}
|
|
|
|
try {
|
|
var arity = layer.length;
|
|
if (arity == 1) {
|
|
// sync
|
|
var t = layer(info);
|
|
transformed(null, t);
|
|
} else if (arity == 3) {
|
|
layer(req, info, transformed);
|
|
} else {
|
|
layer(info, transformed);
|
|
}
|
|
} catch(e) {
|
|
return done(e);
|
|
}
|
|
})(0);
|
|
};
|
|
|
|
/**
|
|
* Return strategy with given `name`.
|
|
*
|
|
* @param {String} name
|
|
* @return {Strategy}
|
|
* @api private
|
|
*/
|
|
Authenticator.prototype._strategy = function(name) {
|
|
return this._strategies[name];
|
|
};
|
|
|
|
|
|
/**
|
|
* Expose `Authenticator`.
|
|
*/
|
|
module.exports = Authenticator;
|