connect-ensure-login icon indicating copy to clipboard operation
connect-ensure-login copied to clipboard

Published 20 hours ago verified publisher icon jaredhanson

401 status code instead of redirect when securing API

Open polkhovsky opened this issue 11 years ago • 9 comments

I added an option to send 401 (Unauthorized) instead of redirecting to '/login' by default. This should be useful for securing APIs when accessed by client-side script.

polkhovsky avatar May 16 '13 22:05 polkhovsky

What's the benefit of this option over just authenticating your API calls?

Instead of:

app.get('/api/profile',
  ensureLoggedIn({sendHTTPCode:true}),
  function(req, res){ ... });

do this:

app.get('/api/profile',
  passport.authenticate('bearer'),
  function(req, res){ ... });

Passport will return a 401 if the request is not authenticated. connect-ensure-login is intended for browser-based sessions, where you need to redirect in order to establish the session, before pages can be accessed. APIs shouldn't need to follow that pattern, but maybe I'm overlooking something.

jaredhanson avatar May 17 '13 16:05 jaredhanson

I am indeed using browser-based sessions for my application with passport-local strategy. Once user is logged in, they have access to a dashboard application implemented using Backbone, which makes calls to server-side APIs. The proposed option allows me to make sure these calls are coming from authenticated user.

On May 17, 2013, at 12:22 PM, Jared Hanson [email protected] wrote:

What's the benefit of this option over just authenticating your API calls?

Instead of:

app.get('/api/profile', ensureLoggedIn({sendHTTPCode:true}), function(req, res){ ... }); do this:

app.get('/api/profile', passport.authenticate('bearer'), function(req, res){ ... }); Passport will return a 401 if the request is not authenticated. connect-ensure-login is intended for browser-based sessions, where you need to redirect in order to establish the session, before pages can be accessed. APIs shouldn't need to follow that pattern, but maybe I'm overlooking something.

— Reply to this email directly or view it on GitHub.

polkhovsky avatar May 17 '13 16:05 polkhovsky

What are the server-side APIs using for authentication credentials? The session cookie?

jaredhanson avatar May 17 '13 16:05 jaredhanson

Yes. I am using passport.session() middleware.

On May 17, 2013, at 12:59 PM, Jared Hanson [email protected] wrote:

What are the server-side APIs using for authentication credentials? The session cookie?

— Reply to this email directly or view it on GitHub.

polkhovsky avatar May 17 '13 17:05 polkhovsky

I second that request. I am using client password to auth the express client side app against my own REST API, and i do share via express+redis the sessions between client app and API. API has access to "see" the authenticated user (which auth'ed on client app). I need to ensure that the API checks that way for the user while the actual API call is authenticated via client password. Having a full blown bearer implementation is cumbersome and unnecessary authorization dialogs and so on nightmares since this is about "same side of the firewall" apps.

bibanul avatar Jul 03 '13 18:07 bibanul

I would also like to see this integrated.

damir-opacak avatar Sep 05 '13 17:09 damir-opacak

Any news on this feature?

NathanRSmith avatar Aug 07 '14 15:08 NathanRSmith

Temp solution:

Create a route;

router.get('/401', (req, res) => {
    res.sendStatus(401);
});

Redirect if unauthorized:

router.post('/submit/', connectEnsureLogin.ensureLoggedIn('/401'), asyncWrapper(paletteCtrl.submit));

ahmetsulek avatar Nov 10 '17 14:11 ahmetsulek

I recommend closing this issue as rejected. As @jaredhanson said, this is module primarily makes sense for browser-based sessions. If you are making API calls to the backend, the frontend can notice that the backend returned a 401 and handle displaying a login page without needing to store a "returnTo" value in the session.

markstos avatar Jun 12 '18 19:06 markstos