Search code examples
node.jsmongoosepassport.jspassport-local

Prevent User from logging again in passportjs if they are authenticated once?

I am using PassportJS, and signup and login functions are working quite smooth.

The only problem I am facing with PassportJS (I am using sessions too), that even when the user had logged in, they can again go back to the signup/login url and do signup and/or login back!

This is tempting me. If anyone has a fix/suggestion, please put it down.

UPDATE - 1

Glimpse of myroutes.js: (Using PassportJS along with connet-ensure-login.

app.get('*', function(req, res, next) {
    if (req.url.indexOf('/users/login') < 0 &&
        req.url.indexOf('/users/signup') < 0) {
        req.session.returnTo = null;
    }
    next();
});

// =====================================
// HOME PAGE (with login links) ========
// =====================================
app.get('/', sabSettings, function(req, res) {
    Setting.findOne(function(err, setting) {
        if (err)
            throw err;
        // console.log(setting);
        res.render('index', { title: 'eduBird | Reach the glory', setting: req.setting }); // load the index file
    });
});

// =====================================
// LOGIN ===============================
// =====================================
// show the login form
app.get('/login', sabSettings, function(req, res) {

    // render the page and pass in any flash data if it exists
    res.render('login', {
        message: req.flash('loginMessage'),
        errors: req.flash('error'),
        title: 'Login | eduBird',
        setting: req.setting
    });
});

// process the login form

app.post('/login', passport.authenticate('local-login', {
    successReturnToOrRedirect: '/loggedin',
    failureRedirect: '/login',
    failureFlash: true
}));

// =====================================
// SIGNUP ==============================
// =====================================
// show the signup form
app.get('/signup', sabSettings, function(req, res) {

    // render the page and pass in any flash data if it exists
    process.nextTick(function() {
        res.render('signup', {
            message: req.flash('signupMessage'),
            errors: req.flash('error'),
            title: 'Register | eduBird',
            setting: req.setting
        });
    });
});

// process the signup form
app.post('/signup', passport.authenticate('local-signup', {
    successReturnToOrRedirect: '/profile/welcome',
    failureRedirect: '/signup',
    failureFlash: true
}));
Solution

  • You have not created any sort of access control, but don't worry we will first go through how Passport works and use this to address the problem.

    1. When the user submits a login form, a POST request to our specified path is made resulting in the execution of the passport.authenticate.
    2. The authenticate middleware for that route is configured to handle the local strategy, passport will invoke your implementation of the local strategy.
    3. If an error occurs while interacting with our database, we invoke done(err). Otherwise if the user is not found or the passwords do not match, we invoke done(null, false). If successful we invoke done(null, user).

    Calling done will return us to the passport.authenticate and the corresponding redirect will be executed.

    At this point, if the sign-in was successful, the user object (from done(null, user)) is attached to the request and you can access the user object through req.user.

    The main idea is if the user object is not attached to the request it means the user is not logged in, so we can control our application behaviour for logged in users with req.user. For example:

    // If the user object does not exist it means the user is not logged in
    if (!req.user) {
        res.render('signin');
    } else {
// If the user object exists, the user is logged in and if they try to log in we redirect them to the home page
        return res.redirect('/');
    }

    I hope this helps.