generator-sails-rest-api icon indicating copy to clipboard operation
generator-sails-rest-api copied to clipboard

Published 20 hours ago verified publisher icon ghaiklor

Can I use Header - Authorization for authorization token?

Open savager opened this issue 8 years ago • 10 comments

I'm not sure how passport is handling it, but I can only get it working passing auth_token as a parameter at the moment. If this isn't supported that's fine just let me know.

savager avatar Mar 05 '16 02:03 savager

@savager you can, Authorization: Bearer <token>

ghaiklor avatar Mar 05 '16 09:03 ghaiklor

That's what I thought, but I get, "no auth token" still.. don't worry i'll figure it out. Thanks!

savager avatar Mar 05 '16 18:03 savager

@savager strange, if you find smth useful, let me know, please.

ghaiklor avatar Mar 05 '16 21:03 ghaiklor

@savager did you figure out how to fix the problem ?

ghaiklor avatar Mar 23 '16 06:03 ghaiklor

If i remember correctly I changed the config/passport.js JWT extract to use fromAuthHeader() instead of fromAuthHeaderWithScheme(authScheme)

this way worked as Authorization JWT :token:

savager avatar Mar 23 '16 07:03 savager

In config/passport.js the JWT_STRATEGY_CONFIG const, updated the jwtFromRequest property to this: jwtFromRequest: ExtractJwt.versionOneCompatibility({authScheme : 'Bearer', tokenBodyField: 'api_key'}),

This way you can still used api_key get param.

tlays11 avatar Jun 22 '16 12:06 tlays11

@tlays11 can you create a PR with that change? Does it break access_token field ?

ghaiklor avatar Jun 23 '16 05:06 ghaiklor

I'd suggest adding a prompt for body token or header token, and if header use the ExtractJwt.fromAuthHeader() method...

for me changing to the fromAuthHeader() didn't work i had to do like @tlays11 suggested and do the following

in config/passport.js change

const JWT_STRATEGY_CONFIG = {
  secretOrKey: 'c4a071df2a2ef9d0dcce2e38d39d67cee6bba0ddcbe69f21cb2e20ea3d9cd9ef',
  jwtFromRequest: ExtractJwt.versionOneCompatibility({authScheme: 'Bearer', tokenBodyField: 'access_token'}),
  tokenQueryParameterName: 'access_token',
  session: false,
  passReqToCallback: true
};

to

const JWT_STRATEGY_CONFIG = {
  secretOrKey: '2546dd38b356dafb9ea2f6ed75586f883f3c3f1a55f1edc630b3d7eb3689d54e',
  jwtFromRequest: ExtractJwt.versionOneCompatibility({
    authScheme: 'Bearer',
    tokenBodyField: 'access_token'
  }),
  tokenQueryParameterName: 'access_token',
  authScheme: 'Bearer',
  session: false,
  passReqToCallback: true
};

doing so i'm now able to add an Authorization Bearer <token> header and it works. not sure if this is the right way or not.

edit: i'm forking and trying to submit a PR which prompts the user for header or body tokens and it looks like the latest version includes the authScheme already not sure if a PR is necessary?

mikedevita avatar Oct 20 '16 19:10 mikedevita

@mikedevita great, yeah, looks good. You can create a PR for this. I'm not sure if we need to ask a user for this, imho, it should work for both cases without prompting the user.

ghaiklor avatar Oct 21 '16 08:10 ghaiklor

@ghaiklor yeah i dont think its required if the current ver supports both. 👍

mikedevita avatar Oct 21 '16 13:10 mikedevita