heroku / node-heroku-bouncer Goto Github PK

View Code? Open in Web Editor NEW

11.0 79.0 13.0 115 KB

easy Heroku OAuth authentication for express

Home Page: https://npmjs.org/package/heroku-bouncer

JavaScript 100.00%

node-heroku-bouncer's Introduction

node-heroku-bouncer

node-heroku-bouncer is an easy-to-use module for adding Heroku OAuth authentication to Express 4 apps.

Install

$ npm install heroku-bouncer --save

Requirements

Node 0.10.x
Express 4.x

Use

Ensure your app is using the cookie-parser and client-sessions middlewares. This module is not guaranteed to work with any other session middleware.

var express      = require('express');
var cookieParser = require('cookie-parser');
var sessions     = require('client-sessions');
var bouncer      = require('heroku-bouncer');
var app          = express();

app.use(cookieParser('your cookie secret'));

// NOTE: These options are good general options for use in a Heroku app, but
// carefully review your own environment's needs before just copying these.
app.use(sessions({
  cookieName    : 'session',
  secret        : 'your session secret',
  duration      : 24 * 60 * 60 * 1000,
  activeDuration: 1000 * 60 * 5,
  cookie        : {
    path     : '/',
    ephemeral: false,
    httpOnly : true,
    secure   : false
  }
}));

app.use(bouncer({
  oAuthClientID      : 'client-id',
  oAuthClientSecret  : 'client-secret',
  encryptionSecret   : 'abcd1234abcd1234'
}));

app.get('/', function(req, res) {
  res.end('You must be logged in.');
});

After requests pass through the bouncer middleware, they'll have the heroku-bouncer property on them:

{
  token: 'user-api-token',
  id   : 'user-id',
  name : 'user-name',
  email: 'user-email'
}

To log a user out, send them to /auth/heroku/logout.

Options

Options	Required?	Default	Description
`encryptionSecret`	Yes	n/a	A random string used to encrypt your user session data
`oAuthClientID`	Yes	n/a	The ID of your Heroku OAuth client
`oAuthClientSecret`	Yes	n/a	The secret of your Heroku OAuth client
`oAuthScope`	No	`"identity"`	The requested scope for the authorization
`oAuthState`	No	`null`	Optional oauth state or function that returns oauth state to be passed to `oauth/authorize` endpoint
`herokuAPIHost`	No	n/a	An optional override host to send Heroku API requests to
`newSessionCallback`	No	`null`	Optional callback to be invoked after successful session creation. Passed oauth `access_token` and `refresh_token`
`sessionSyncNonce`	No	`null`	The name of a nonce cookie to validate sessions against
`ignoredRoutes`	No	`[]`	An array of regular expressions to match routes to be ignored when there is no session active
`oAuthServerURL`	No	`"https://id.heroku.com"`	The location of the Heroku OAuth server
`herokaiOnlyHandler`	No	`null`	A route handler that will be called on requests by non-Herokai

Test

$ npm test

node-heroku-bouncer's People

Stargazers

Watchers

Forkers

max zeke raulb jackca idan hburrows sshyran barslev katerinapal louboutinsteppin

node-heroku-bouncer's Issues

Add an authorization callback instead of (or along with) herokaiOnlyHandler

It'd more flexible to have an authorization callback function that decides if an authorized user is allowed (rather than the hardcoded herokaiOnlyHandler).

So for example:

app.use(bouncer({
  oAuthClientID      : 'client-id',
  oAuthClientSecret  : 'client-secret',
  encryptionSecret   : 'abcd1234abcd1234',
  authCallback: function(user) { return /@example\.com$/.test(user.email); }
}));

See also the change to heroku-bouncer-python and my PR for heroku-bouncer.

I'll try to submit a PR for this, but I'm an express n00b so it might take me a bit :)

Add user's email address to session

Bouncer should reauthenticate if id.h.c returns a 401

id.heroku.com can return three statuses:

200 for a proper auth
401 for an invalid token
403 for a forbidden token

According to @brandur id.h.c returns a 401 if your token has expired. A 401 should trigger a re-auth flow and come back with a new token.

//cc @jesperfj

Cannot read property 'email' of undefined

Am I doing something wrong? Here's my code: https://github.com/zeke/hk-web/blob/master/index.js

TypeError: Cannot read property 'email' of undefined
    at Object.handle (/Users/zeke/code/hero/hk-web/node_modules/heroku-bouncer/lib/middleware.js:27:34)
    at next (/Users/zeke/code/hero/hk-web/node_modules/express/node_modules/connect/lib/proto.js:194:15)
    at Object.cookieSession [as handle] (/Users/zeke/code/hero/hk-web/node_modules/express/node_modules/connect/lib/middleware/cookieSession.js:120:5)
    at next (/Users/zeke/code/hero/hk-web/node_modules/express/node_modules/connect/lib/proto.js:194:15)
    at Object.cookieParser [as handle] (/Users/zeke/code/hero/hk-web/node_modules/express/node_modules/connect/node_modules/cookie-parser/index.js:45:5)
    at next (/Users/zeke/code/hero/hk-web/node_modules/express/node_modules/connect/lib/proto.js:194:15)
    at Object.methodOverride [as handle] (/Users/zeke/code/hero/hk-web/node_modules/express/node_modules/connect/node_modules/method-override/index.js:48:5)
    at next (/Users/zeke/code/hero/hk-web/node_modules/express/node_modules/connect/lib/proto.js:194:15)
    at Object.urlencodedParser [as handle] (/Users/zeke/code/hero/hk-web/node_modules/express/node_modules/connect/node_modules/body-parser/index.js:104:36)
    at next (/Users/zeke/code/hero/hk-web/node_modules/express/node_modules/connect/lib/proto.js:194:15)
    at Object.jsonParser [as handle] (/Users/zeke/code/hero/hk-web/node_modules/express/node_modules/connect/node_modules/body-parser/index.js:71:36)
    at next (/Users/zeke/code/hero/hk-web/node_modules/express/node_modules/connect/lib/proto.js:194:15)
    at Object.expressInit [as handle] (/Users/zeke/code/hero/hk-web/node_modules/express/lib/middleware.js:30:5)
    at next (/Users/zeke/code/hero/hk-web/node_modules/express/node_modules/connect/lib/proto.js:194:15)
    at Object.query [as handle] (/Users/zeke/code/hero/hk-web/node_modules/express/node_modules/connect/lib/middleware/query.js:45:5)
    at next (/Users/zeke/code/hero/hk-web/node_modules/express/node_modules/connect/lib/proto.js:194:15)
    at Function.app.handle (/Users/zeke/code/hero/hk-web/node_modules/express/node_modules/connect/lib/proto.js:202:3)
    at Server.app (/Users/zeke/code/hero/hk-web/node_modules/express/node_modules/connect/lib/connect.js:65:37)
    at Server.EventEmitter.emit (events.js:98:17)
    at HTTPParser.parser.onIncoming (http.js:2108:12)
    at HTTPParser.parserOnHeadersComplete [as onHeadersComplete] (http.js:121:23)
    at Socket.socket.ondata (http.js:1966:22)
    at TCP.onread (net.js:527:27)

cc @jclem

herokaiOnlyHandler

Hey @jclem , how can I use herokaiOnlyHandler to only allow heroku.com emails? Bit of a node - newb here any help appreciated!

app.use(bouncer({
oAuthClientID : process.env.HEROKU_OAUTH_ID,
oAuthClientSecret : process.env.HEROKU_OAUTH_SECRET,
encryptionSecret : process.env.HEROKU_ENCRYPTION_SECRET,
herokaiOnlyHandler : ???
}));

Add Herokai only flag

Related to #2.