jed / authom Goto Github PK

I cannot use port 80 in my dev machine, so I decided to change the port as in:

var http = require("http")
  , authom = require("../lib/authom")
  , server = http.createServer()
  , port = process.env.PORT || 9000

This results in an error:

1. That’s an error.
   Error: redirect_uri_mismatch
   Application: authom_example

Feature Request:

Wouldn't it be better to extract your keys, IDs, and so on, into a separate config.js file?

Example:

const config = {

  // mongodb location
  db: 'mongodb://localhost/authom',

  // port
  port: process.env.PORT || 3000,

  // test environment
  test_env: 'test',
  test_db: 'authom-test',
  test_port: 3001,

  // github config
  githubService: 'github',
  githubId: '7e38d12b740a339b2d31',
  githubSecret: '116e41bd4cd160b7fae2fe8cc79c136a884928c3',
  githubState: 'unguessable-random-string'

  // other providers

};

export default config;

authom source code looks very clean and easy to understand, but i got a problem to integreate with express,specifically i want to save the authenticated user information into express session.

app.use(express.session({
secret: 'xxx',
store: memoryStore,
}));

i want to set session in authom.on("auth", function(req, res, data) {
req.session.auth=true;
req.session.username= data.user.Name;
})

so that i can check whether user is authenticated or not in express

app.get("secpath",function(){
if(!req.session.auth) redirect("/auth/github"); //<-- but i can not get req.session.auth value as true, the session lost!
})

can someone show how to write a authom middleware for express or other solution?

Hello,

I tried playing around with Authom and Linkedin, below is a snippet of the setup

authom.createServer({
service: 'linkedin',
........
scope: ['r_basicprofile', 'r_emailaddress'],
fields: ['email-address', 'first-name', 'last-name', 'picture-url']
});

I get all the fields requested apart from email-address. Is it possible that email-address is not bound on return?

It's unlikely to be the Linkedin app because r_emailaddress is checked in.

Thanks

From http://developer.github.com/v3/oauth/

state
Optional string - An unguessable random string. It is used to protect against cross-site request forgery attacks.

hello, I understood how to retrieve other data facebook, with the fields and the scope, but I do not see how to do it with twitter, you have a solution, or is it set up?

With the new security changes with the node https module, self-signed certs are rejected by default. There is an override that can be set called rejectUnauthorized. My thought is to add the override into authom, but I may also not be aware of a workaround. Is this a known issue with workaround or something that should be added to authom? Thanks.

Hello,

I noticed that it's not possible to use more than one service with the library, despite using the name field. Example:

var app = require("express").createServer()
  , authom = require("authom")

var one = authom.createServer({
  name: "facebook-one",
  service: "facebook",
  id: "1",
  secret: "mylittlesecret",
  scope: [],
  fields: ["name", "picture"]
})

var two = authom.createServer({
  name: "facebook-two",
  service: "facebook",
  id: "2",
  secret: "mylittlesecret",
  scope: [],
  fields: ["name", "picture"]
})

console.log('one: ', one.code)
// { ... query: { client_id: '2', scope: '' } } <- I was expecting client_id: '1'
console.log('two: ', two.code)
// { ... query: { client_id: '2', scope: '' } }

app.get("/auth/:service", authom.app)
app.listen(8000)

In other words, the last service overwrite all the other services. I dug into the code and I figured out that you store instance variables on the prototype. Hence when one of those variables change, all the instances see the new change. Example:

function myClass(){}
myClass.prototype = {
    settings: {name: 'random'}
};

m1 = new myClass();
m2 = new myClass();

m1.settings.name // 'random'
m2.settings.name // 'random'
m1.settings.name = 'Daniele'
m1.settings.name // 'Daniele'
m2.settings.name // 'Daniele' <- You might have expected 'random'

Fixing the issue is very straightforward and requires to move the properties on the prototype within the constructor.
I was about to propose a pull request when I realised that Facebook wasn't the only service suffering from this problem. At this point I think I'm not sure I can help you further. If you're happy for me to move all the properties on the prototype within the constructor, just let me know and I'll send you a pull request.

Thanks
Daniele

Hi,

npm version seem to be not updated with refresh_token implementation.

Thanks

consider changing

"node": "~0.4.12"

to

"node": ">=0.4.12"

in package.json since the ~ designates only v0.4.x

Great work! I like authom a lot and it is a breath of fresh air after working with passport.js.

OAuth redirect URI is expected to be HTTPS if the URL is not localhost.
Could you please provide an example how to set autom to listen to HTTPS redirects.

I'm using Authom like this:

app.use('/auth/:service', authom.app);

I'm trying to authentication with Google, which uses OAuth2. The redirect_uri passed to Google contains / instead of /auth/google.

I think the problem is in oauth2.js where req.url is used:

this.code.query.redirect_uri = url.format(req.url)

If I add these two lines above this, the problem is resolved:

  req.url.pathname = req.baseUrl;
  delete req.url.href;

Similar changes still need to be made later on for onCode.

In any case, I think that originalUrl needs to come into play here because /auth/google isn't in req.url. Is this the correct fix? I would submit a pull request, but since this is an as-documented usage of Authom, I wanted to make sure I wasn't doing anything wrong to begin with. Any insight is welcomed! Thanks.

When twitter emits an error like the following:

{ statusCode: 401,
data: '\n\n Invalid / expired Token\n /oauth/access_token\n\n' }

it triggers the following error:

Uncaught exception: TypeError: Object # has no method 'error'

cause of this:

authom.on('error', function(req, res, data) {
res.error("An error occurred: " + JSON.stringify(data))
});

cause the res object doesnt have the method "error".

Hello,

Today, I try to run my app that use authom on node 0.10.0. With OAuth2 Services it fails. I review API changes on new version of node at this page https://github.com/joyent/node/wiki/Api-changes-between-v0.8-and-v0.10 , and I change the inheritance method used by the recomend on this page. I need to add more change for pass my custom tests. I try with twitter, facebook, foursquare, instagram and github with sucess, but not extensive. The changes are in cartuchogl@5d40580

Tomorrow I try to do more tests.

meetup.js and twitter.js service files are not getting downloaded using:

npm install authom

https://developers.google.com/+/api/auth-migration#timetable

According to this the userinfo endpoint will be fully removed, which will break the google oauth.

I would like to allow users to create new accounts or use existing ones like Facebook for my app. Is this possible? Thanks

Could someone look over how I have configured Authom for my Sails app?

I created a policy called "authomAuth", which is "middleware" in Sails speak:

var authom = require('authom');
module.exports = function(req, res, next) {
    authom.listener(req, res);    
    authom.on("auth", function(req, res, data) {        
    })
    authom.on("error", function(req, res, data) {           
    })
    console.log('Using authom policy');
    return next();    
};

I enabled the policy for the "AuthController" in the policy.config file

AuthController: {
        'auth': 'authomAuth'
}

I then created a route as such:

'/auth/:service' : {
        policy: 'authomAuth'
    },

I have left out the forms for the meant time, is my configuration ok?

Thanks

when emitting an error like you used in twitter.js

if (error) return self.emit("error", req, res, uri.query)

you should emit the error message too, i think it would be good to tell the user why the error happened instead of just sending them the tokens.

Hi there,

We just had a big issue after installing 0.4.8 - all of our facebook authentications stopped working until we reverted to 0.4.7.

I'll investigate further and follow up on this ticket. - Wanted to drop a word on this if anyone experienced similar issues.

( I know I'm 3 months late since 0.4.8 - seems to be a weird edge case.)

Is there a particular reason why Twitter is missing, I just realized that it wasnt on your list and wanted to know if there is a special reason or perhaps no one is asking for it :(

Thank you and great job, I love authom and might be using in couple projects soon.

JB

Is it possible to incorporate setting the state parameter in the access token request? The scenario I am thinking of is when there is state related to the initial /auth request that is needed after the access token is granted. (ie. /auth/:service?rememberMeFlag=true). When the access token is requested, only the state parameter is allowed in the oauth spec for this purpose. Adding any other parameter directly to the url will cause an error with the called oauth service. Here is a reference article to help provide context. I am game for making the changes and sending a pull request but I would want a little guidance before I did this. Thanks.

http://stackoverflow.com/questions/7722062/google-oauth2-redirect-uri-with-several-parameters

https://developer.github.com/changes/2020-02-10-deprecating-auth-through-query-param/

Any plan to address this? Should I make a PR? Would it be merged? Should I migrate away to something else?