I am trying to build user authentication into my simple Node.js app using the tutorial here:

It works great in terms of protecting the application home page so that it can only be accessed after logging in, but I am having a really hard time restricting my REST endpoints to only logged in users. As in using Postman I can still call the end points without any authentication.

In my route I have the following:

var express = require('express');
var router = express.Router();

// if the user is authenticated
var isAuthenticated = function (req, res, next) {
  if (req.isAuthenticated())
    return next();
  res.json("not authenticated");
}

/*
 * GET carlist.
 */
router.get('/carlist', isAuthenticated, function(req, res) {
    var db = req.db;
    var collection = db.get('carlist');
    collection.find({},{},function(e,docs){
        res.json(docs);
    });
});

This doesn't seem to work, even if I actually enter correct credentials I am always returned "not authenticated". What I am I missing here?

EDIT:

Full code here:

Thanks in advance for the help!

I am trying to build user authentication into my simple Node.js app using the tutorial here: http://code.tutsplus./tutorials/authenticating-nodejs-applications-with-passport--cms-21619

It works great in terms of protecting the application home page so that it can only be accessed after logging in, but I am having a really hard time restricting my REST endpoints to only logged in users. As in using Postman I can still call the end points without any authentication.

In my route I have the following:

var express = require('express');
var router = express.Router();

// if the user is authenticated
var isAuthenticated = function (req, res, next) {
  if (req.isAuthenticated())
    return next();
  res.json("not authenticated");
}

/*
 * GET carlist.
 */
router.get('/carlist', isAuthenticated, function(req, res) {
    var db = req.db;
    var collection = db.get('carlist');
    collection.find({},{},function(e,docs){
        res.json(docs);
    });
});

This doesn't seem to work, even if I actually enter correct credentials I am always returned "not authenticated". What I am I missing here?

EDIT:

Full code here: https://gist.github./tudorific/d99bc51cfbd3d9d732a3bb1b93ed7214

Thanks in advance for the help!

• javascript
• node.js
• authentication
• express
• passport.js

• 1 which passport method are you using ? and show how you setup passport – Neta Meta Commented May 17, 2016 at 4:18
• 1 I am using basic authentication. For passport setup, did you want to see the code in the app.js file or the file that has the login strategy? @NetaMeta – user2573690 Commented May 17, 2016 at 4:21
• 1 everything that relates to passport make a little gist or pastbin – Neta Meta Commented May 17, 2016 at 4:21
• 1 @NetaMeta how's this: gist.github./tudorific/d99bc51cfbd3d9d732a3bb1b93ed7214 – user2573690 Commented May 17, 2016 at 4:30
• 2 Try getting rid of serializer/deserialize and simply add the sessions/checks your self – Neta Meta Commented May 17, 2016 at 15:42

1 Answer 1

I figured it out. Since I was using a LocalStrategy the IsAuthenticated method was looking for the credentials in the session rather than at the Basic Credentials I was sending with Postman. So I needed to create the following new BasicStrategy:

var passport = require('passport');
var BasicStrategy = require('passport-http').BasicStrategy;
var Employer = require('../models/employer');
var bCrypt = require('bcrypt-nodejs');

passport.use(new BasicStrategy(
  function(username, password, done) {
    Employer.findOne({ username: username }, function (err, user) {
      if (err) { return done(err); }
      if (!user) { return done(null, false); }
      //if (!user.validPassword(password)) { return done(null, false); }

      if (!isValidPassword(user, password)){ return done(null, false); }

      return done(null, user);
    });

    var isValidPassword = function(employer, password){
        return bCrypt.pareSync(password, employer.password);
    }
}));

And then use that strategy in my route like this:

router.get('/carlist', passport.authenticate('basic',  function(req, res) {
    var db = req.db;
    var collection = db.get('cars');
    collection.find({},{},function(e,docs){
        res.json(docs);
    });
});

This would use my basic authentication credentials from Postman to connect to the website.

Thanks to Neta Meta's advice in the ments to my OP I was able to arrive to this result and a bit more reading on the Passport documentation to understand the differences between the strategies.