sails-auth
sails-auth copied to clipboard
trailsjs
Decoupling from sails.session, aiming to use JWT
Hi, and thanks for creating such a cool package!
I'm wondering how I can decouple my use of sails-auth from sails' session component, and maybe later have it work with no sessions at all. My goal in the end is to use tokens for both my frontend which is a single page app and later maybe external apps that rely on the API only.
I summed up my needs on this stackoverflow question but thought it'd be relevant to have it tagged as a question here.
Ideally I want to, no matter how the user authentifies (OAuth or local), generate a token. I guess for OAuth I would have to serve the index again, and embed the token directly in the page's JS, and for local to return the token via AJAX. But how/at what point do I create this token? And should I manually create a passport-http-bearer token or should I have my own layer of token?
I've been thinking and trying a lot of solutions in the past 2 days, with sessions and cookies it works fine but tokens have a lot of advantages and I'd like to go this way. Could you recommend the high-level auth flow that I should go for?
@Esya thanks for the feedback! I've seen interest in this; see also https://github.com/tjwebb/sails-auth/issues/9. I just haven't had the time in the past few weeks to implement this ability, but it's definitely something I'd like sails-auth to support. Are you able/interested in collaborating on this?
It's great that Waterlock exists; however, I'm trying to use https://github.com/tjwebb/sails-permissions which directly depends on sails-auth. Basically I just want to touch base on this question and check if there was any progress on this feature (implementing JWT into sails-auth)?
This pic shows a small recap of how things are supposed to go. As I see it the problem comes from the two steps:
- connect
- login
During the connect phase we asses the currently logged in user by checking request.user. As I understood, this is populated by request.login() a method exposed by passport. This method is called automatically on authenticate (so before connect). Then after connect we run the callback passed to passport.callback. This in fact is the part of the code responsible for establishing a session (request.login()) and perform a redirect to the client upon success.
Since we don't want to use session the only thing that I can think of is to somehow pass the jwt token (if present) from the client to the provider when the oAuth flow starts. Then the provider in its back and forth with sails should carry this parameter in the callback url so that sails can grab it, verify it and in case retrieve and expose the authorized user that can then be used in connect
I'm quite sure passing the jwt to the provider is not a good idea, so maybe we could use a temporary token just for this but I have no idea how to append or modify parameters passed to the provider, and even tough I don't know if the provider will give us back those parameters.
What do you think? A better idea?
