Search code examples
javascriptnode.jspassport.jspassport-google-oauthpassport-azure-ad

Passport breaking request flow for federated accounts


I have discovered, when using simple Google Tutorial app, that if the user goes to Google, authenticate successfully and then my app cancels this log in (e.g. because this user was not found in the database) then the Passport flow is completely broken. The message raised (eg "Please Sign Up before using Google Auth") is not propagated and the user is just redirected with an empty request to Login page. If I use LocalStrategy then this code would work as expected (message passed in request to the failedLogin page).

Full code (modified Passport Google tutorial) is here https://github.com/molt2020/broken-passport/blob/main/routes/auth.js

To demonstrate this I just always return an error after authenticating with Google but this error never gets to the login page.

passport.use(new GoogleStrategy({
  clientID: process.env['GOOGLE_CLIENT_ID'],
  clientSecret: process.env['GOOGLE_CLIENT_SECRET'],
  callbackURL: '/oauth2/redirect/google',
  scope: [ 'profile' ]
}, function verify(issuer, profile, cb) 

{
// I replaced all logic from the Tutorial with a simple reject message
return cb(null, false, {message : "Please Sign Up before using Google Login"});  
}

How can I pass this message back to the login page with PassportJS instead of it being lost??

I noted that Passport will break the request flow in the same way if the session cookie contains bad user info (e.g. ID of user that has been removed). When the session deserialize function raises an error ("bad user") this never gets into 'messages' and it does not get back to the user and in fact server error 500 is raised which is not pleasant for the user (the request should be redirected to the failedLogin page as per the usual).


Solution

  • It was a RTFM in this case - I needed to use failureMessage: true option in the router.get for the Google Callback in order to be able to collect and display message the message on return from Google.