passportjs | Generating Sign-In and Sign-Out authentication strategies | Authentication library

You pass your done() function as an argument when you call passport.authenticate(). The time you call it, your strategy is called too and passes the function you defined as 3d argument.

Visual Flow

Take a look at passport documentation for the authenticate() method.

When using a custom callback, it becomes the application's responsibility to establish a session (by calling req.login()) and send a response.

So in your first scenario, you need to explictly establish a session - passport will not do it automatically for you.

Regarding your second scenario where no custom callback is used:

By default, if authentication fails, Passport will respond with a 401 Unauthorized status, and any additional route handlers will not be invoked.

As far as I understand, with this setup, flash messages set up as part of the Strategy verify callback are not being used - unless redirect options are specified, which you do not want here.

So you probably should go with the first scenario in order to be able to customize error responses with the Strategy verify callback flash messages. Just make sure you establish the session when login is successful.

http://www.passportjs.org/docs/authenticate/

Edit: I've just ran through a quick test, and it seems that alternatively you should be able to get away with just having the Strategy verify callback return errors with the error.message property set to whatever error message you want to send as a response - without the need for the custom callback and flash messages at all. Note though that in this case passport actually sets the response body to the error message as text.

So for instance instead of:

• When you send a status code that is not in the range 200, it is considered as an "exception" in the client code. For Axios specifically, the catch block is executed. In your code, it is

The issue is:

I was trying to access the profile without adding the Authorization in the header from the server itself. The Authorization contains the generated token.

With Postman I was able to do that with the UI as explained above. However, in the code, I needed to create a middleware before accessing the profile route.

These are perhaps the two primary features of OAuth 2.0 and Open ID Connect:

• Federated sign in to your UIs via multiple identity providers and the ability to easily add new options such as GitHub in a centralised manner

• Full control over claims included in access tokens, so that your APIs can authorize requests however you'd like

FOREIGN ACCESS TOKENS

You should aim to avoid ever using these in your apps. Your UIs and APIs should only use tokens issued by your own Authorization Server (Ory Hydra), which manages the connection to the Identity Provider. Adding a new sign in method will then just involve centralised configuration changes, with zero code changes in either UIs or APIs.

IF YOU DON'T HAVE AN AUTHORIZATION SERVER YET

Maybe have a look at the Curity Identity Server and its free community edition - use sign in with GitHub, which has strong support for both of these areas:

• Many Authenticators
• Many Options for Issuing Claims

EXTERNAL RESOURCES

One exception to the above is that your APIs may occasionally need to access a user's Google resources after login, by calling Google APIs. This would require the token issued by Google. It can be managed via an embedded token approach - though it doesn't sounds like you need that right now.

To extend the User type used by Passport, you would merge your declarations into global.Express.User:

There are a few options to achieve your goal:

• Basic auth

The simplest solution to secure your services would be Basic Auth, which basically tells your user's browser to ask for a username and password which is then sent to the server.

https://caddyserver.com/docs/caddyfile/directives/basicauth

Even though it is very quick to set up, you lose benefits such as fine-grined access control and your users' ability to change their username/password.

• OAuth

OAuth allows your users to sign in with their own account, for example from Google or Facebook. Take a look at this complete Caddy Auth System: https://github.com/greenpau/caddy-auth-portal

• JWT - Build your own

Finally, if you want to use this challenge as a learning opportunity, you can take a look at JWT based authentication. Take a look at this module: https://github.com/greenpau/caddy-auth-jwt

This would enable you to issue JWT tokens in your node.js application which are then verified by Caddy.

Obviously, all of these solutions do require some research and skill and I would rate their difficulty to implement in ascending order, with your plan of building your own Auth system being the most difficult.

Try flipping the order of the last two calls to app.use. Express will call those functions in order as defined.

I'm assuming your routes defined in ./routes don't call next(), so there's no way for the next set of middlewares (in this case passport.setAuthenticatedUser) to run. So make sure that this call to the Passport function happens before your route handler, or more generally, before any function that won't call next().

This most likely means your POST /login route never gets the request. Look at the network requests and see if there is indeed a POST /login to the URL, make sure the protocol is the same too (http and https)