Search code examples
node.jsexpressnode.js-connecteveryauth

Using Express and everyauth to conditionally authenticate Google OAuth2

I'm trying to use everyauth with Google OAuth2, and I only want authentication to succeed if Google sends me a user in my company's Google Apps domain. I can't figure out how to gracefully abort authentication based on arguments to findOrCreateUser.

express = require "express"
everyauth = require "everyauth"
app = express()

nextUserId = 0
usersById = {}

app.get "/", (req, res) ->
    res.send "Secret"

everyauth.everymodule
    .findUserById (id, callback) ->
        callback null, usersById[id]

everyauth.google
    .appId(process.env.GOOGLE_CLIENT_ID)
    .appSecret(process.env.GOOGLE_CLIENT_SECRET)
    .scope("...")
    .redirectPath("/")
    .findOrCreateUser (session, token, extra, googleUser) ->
        # I want to abort authentication if googleUser.email != foo
        # Redirecting to /unauthorized would be awesome but I don't know how
        googleUser.id = nextUserId++
        usersById[googleUser.id] = googleUser

app.use express.cookieParser()
app.use express.session { secret: "secret" }
app.use everyauth.middleware()

app.listen process.env.PORT
Solution

  • Based on a clue from https://github.com/bnoguchi/everyauth/issues/206 the code below works as you requested. Note that the code order matters, I had to move the app.use calls to be later in the file in order for the sessions to work correctly.

    express = require "express"
everyauth = require "everyauth"
util = require "util"

everyauth.everymodule
    .findUserById (req, id, callback) ->
        callback(null, usersById[id])

everyauth.google
    .appId(process.env.GOOGLE_CLIENT_ID)
    .appSecret(process.env.GOOGLE_CLIENT_SECRET)
    .scope("https://www.googleapis.com/auth/userinfo.email")
    .redirectPath("/")
    .findOrCreateUser (session, token, extra, googleUser) ->
        #console.log(util.inspect(googleUser))
        if googleUser.email == "some.user@gmail.com"
            return null
        else
            return usersById[googleUser.id] = googleUser
    .sendResponse (res, data) ->
        user = data.user
        if !user
            return this.redirect(res, '/failure')
        this.redirect(res, "/")

app = express()
app.use express.bodyParser()
app.use express.cookieParser()
app.use express.session({secret: "SECRETIVE"})
app.use everyauth.middleware()

nextUserId = 0
usersById = {}

app.get "/", (req, res) ->
    if req.loggedIn
        res.send "You are logged in as " + req.user.email + ". Click <a href='/logout'>here to logout</a>"
    else
        res.send "click <a href='/auth/google'>here to login</a>"

app.get "/failure", (req, res) ->
    # clear the login stuff from the session since we went through auth
    # but didn't set a user object. This makes req.loggedIn return false.
    req.logout()
    res.send "Victory has defeated you."

app.listen process.env.PORT
console.log('listening on ', process.env.PORT)