Search code examples
node.jsopenidgoogle-openidpassport.js

Restricting Login Access - Passport.js, Google Authentication

Okay, so using passport.js works, and works well, from what I've seen. However, I'm not sure how to properly exclude certain users. If the application is intended to have restricted access, rather than just providing the user a method for logging in, how can I restrict the login through passport.js? As it stands, users can just visit /login and log in with their Google account, thereby getting access to the internals.

Solution

  • Here is one way to do this, with comments throughout. The main thing is understanding this page from the author: http://passportjs.org/guide/authenticate/, which I explain a little more in this example ...

    It might be easier to read bottom to top:

    var authenticate = function(req, success, failure) {

    // Use the Google strategy with passport.js, but with a custom callback.
    // passport.authenticate returns Connect middleware that we will use below.
    //
    // For reference: http://passportjs.org/guide/authenticate/
    return passport.authenticate('google', 
        // This is the 'custom callback' part
        function (err, user, info) {

            if (err) { 
                failure(err);
            }
            else if (!user) { 
                failure("Invalid login data");
            }
            else {
                // Here, you can do what you want to control 
                // access. For example, you asked to deny users 
                // with a specific email address:
                if (user.emails[0].value === "no@emails.com") {
                    failure("User not allowed");
                }
                else {
                    // req.login is added by the passport.initialize() 
                    // middleware to manage login state. We need 
                    // to call it directly, as we're overriding
                    // the default passport behavior.
                    req.login(user, function(err) {
                        if (err) { 
                            failure(err);
                        }
                        success();
                    });
                }
            }
        }
    );
};

    One idea is to wrap the above code in some more middleware, to make it easier to read:

    // This defines what we send back to clients that want to authenticate
// with the system.
var authMiddleware = function(req, res, next) {

    var success = function() {
        res.send(200, "Login successul");
    };

    var failure = function(error) {
        console.log(error);
        res.send(401, "Unauthorized"); 
    };

    var middleware = authenticate(req, success, failure);
    middleware(req, res, next);
};


// GET /auth/google/return
//   Use custom middleware to handle the return from Google.
//   The first /auth/google call can remain the same.
app.get('/auth/google/return', authMiddleware);

    (This all assumes we're using Express.)