passport icon indicating copy to clipboard operation
passport copied to clipboard

Published 20 hours ago verified publisher icon jaredhanson

Consider excluding options from `authenticate` middleware

Open alexandradeas opened this issue 6 years ago • 2 comments

This issue has arisen mostly out of incorrect implementation anyway but thought I would bring it to attention.

It's possible to inadvertently require authentication on a call to OPTIONS with:

app.use(passport.authenticate("jwt", { session: false })

It's worth pointing out that nowhere in the documentation is the method used in this way.

This can easily be worked around by wrapping the middleware as

app.use((req, res, next) => {
  if (req.method !== "OPTIONS") {
    passport.authenticate("jwt", { session: false });
  }
  next();
});

I'm wondering if it's worth dropping this validation down into passport itself so that it will never require authentication on a call with the OPTIONS method as request headers should not be included according to the standard: https://www.w3.org/TR/cors/#preflight-request

alexandradeas avatar Sep 04 '18 10:09 alexandradeas

Instead of app.use(), use app.get()/app.post()/... Makes more sense than to hard code this into passport.js

GlennMatthys avatar Oct 03 '18 07:10 GlennMatthys

Shouldn't this be mentioned in the documentation?

Ravichandra-C avatar Oct 11 '23 14:10 Ravichandra-C