Skip to content

Instantly share code, notes, and snippets.

@amoslanka
Last active January 15, 2018 01:42
Show Gist options
  • Save amoslanka/5769131 to your computer and use it in GitHub Desktop.
Save amoslanka/5769131 to your computer and use it in GitHub Desktop.
Simple session-stored auth on Node.js
*node_modules/
.DS_Store
{
"name": "cross-domain",
"subdomain": "cross-domain",
"scripts": {
"start": "server.js"
},
"version": "0.0.0-20",
"engines": {
"node": "0.6.x"
},
"dependencies": {
"express": "2.5.x",
"connect": "2.2.x"
}
}
var express = require('express');
var connect = require('connect');
// Custom csrf library
// var csrf = require('./csrf');
var app = express.createServer();
// An array of users who are already registered and can log in.
var users = [
{ username: 'herp', password: 'derp' },
{ username: 'foo', password: 'bar' },
{ username: 'turd', password: 'burgler' }
]
var allowCrossDomain = function(req, res, next) {
// Added other domains you want the server to give access to
// WARNING - Be careful with what origins you give access to
var allowedHost = [
'http://backbonetutorials.com',
'http://localhost',
'http://localhost:4567',
'http://amoslanka.struck.com:4567',
'chrome-extension://fdmmgilgnpjigdojojpjoooidkmcomcm'
];
// chrome-extension line is the origin header from POSTman chrome extension
// console.log("Headers: ", req.headers, "\n")
console.log("----------------------------")
console.log("Origin: ", req.headers.origin)
console.log("Session: ", req.session)
if(allowedHost.indexOf(req.headers.origin) !== -1) {
res.header('Access-Control-Allow-Credentials', true);
res.header('Access-Control-Allow-Origin', req.headers.origin)
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
res.header('Access-Control-Allow-Headers', 'X-CSRF-Token, X-Requested-With, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version');
next();
} else {
console.log("Failed the CORS origin test: ", req.session.username)
res.send(401, {auth: false});
}
}
app.configure(function() {
app.use(express.cookieParser());
app.use(express.session({ secret: 'thomasdavislovessalmon' }));
app.use(express.bodyParser());
app.use(allowCrossDomain);
// app.use(csrf.check);
});
app.get('/users/current', function(req, res){
console.log("GET users/current")
// This checks the current users auth
// It runs before Backbones router is started
// we should return a csrf token for Backbone to use
if(typeof req.session.username !== 'undefined'){
console.log("Verified logged in: ", req.session.username)
res.send({auth: true, id: req.session.id, username: req.session.username});
// res.send({auth: true, id: req.session.id, username: req.session.username, _csrf: req.session._csrf});
} else {
res.send(401, {auth: false});
// res.send(401, {auth: false, _csrf: req.session._csrf});
}
});
app.post('/session', function(req, res){
console.log("POST session")
// Login
// Here you would pull down your user credentials and match them up
// to the request
var foundUser = undefined
for (var i=0;i<users.length;i++) {
var u = users[i];
if (u.username == req.body.username && u.password == req.body.password) {
foundUser = u.username
}
}
if (foundUser !== undefined) {
req.session.username = req.body.username;
console.log("Login succeeded: ", req.session.username)
res.send({auth: true, id: req.session.id, username: req.session.username});
} else {
console.log("Login failed: ", req.body.username)
res.send(401, {status:401, message: {auth:false}});
}
});
app.del('/session', function(req, res, next){
console.log("DELETE session")
console.log("Logout: ", req.session.username)
// Logout by clearing the session
req.session.regenerate(function(err){
// Generate a new csrf token so the user can login again
// This is pretty hacky, connect.csrf isn't built for rest
// I will probably release a restful csrf module
// csrf.generate(req, res, function () {
res.send({auth: false, _csrf: req.session._csrf});
// });
});
});
console.log("Listening on port 8000...")
app.listen(8000);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment