Login/Register
Node: Sending JSON Web token to client with page redirect
Asked Answered
Solved node.jsexpressjwtpassport.jsjson-web-token
A

1

9

I am using Node Express to build my backend server. Additionally, authentication is my application happens with Passport-SAML. I am using JWT to maintain user sessions. So the flow is,

  1. The user calls in login endpoint
  2. They are redirected to SAML identity provider.
  3. The Provider verifies the user and sends back an authorization back to the server on a callback URL.
  4. I am using the POST callback URL to authentication and then create a token for the user to perform authorization and session management.

The callback POST endpoint also has a page redirect. And from so far what I have learned is res.status and res.redirect cannot be in the same endpoint for obvious reasons. I have been trying to find the right approach it, any help is greatly appreciated.

router.route('/login')

.get(
    passport.authenticate(config.passport.strategy,
      {
        successRedirect: '/',
        failureRedirect: '/login'
      })
);

router.route(config.passport.saml.path)

.post(
    passport.authenticate(config.passport.strategy,
      {
        failureRedirect: '/',
        failureFlash: true
      }),
    function (req, res) {
      res.redirect('/');
      var token = Verify.getToken(req.user.saml);
      return res.status(200).json({
        status: 'Login successful!',
        success: true,
        token: token
      });
      console.log(token,'yes');

    }
);
Actaeon answered 25/8, 2017 at 13:26 Comment(0)
A
17

You've got an array of options here

Cookie

res.cookie('token', token, ...);
res.redirect(...);

URL parameter

res.redirect(`/some/url?token=${token}`);

Custom header

res.set('x-token', token);
res.redirect(...);
Alphaalphabet answered 25/8, 2017 at 13:36 Comment(6)
Can't use cookies, since I am using JWT to replace it. I am going to use the custom header. It seems to work, but to confirm this is your solution: .post(passport.authenticate(config.passport.strategy,{...}), function (req, res) {var token = Verify.getToken(req.user.saml); res.set('x-access-token', token); res.redirect('/'); }); ? And By this way, the token will be sent with the page redirect, to the front-end? Still a noob, please bear with my amateur skills.Actaeon
From a security point of view, since with above solution, we will be sending JWT with a custom set header. How vulnerable could be my application security wise, and what measures can I take against it?Actaeon
@Actaeon the idea of the custom header only works if you parse the header out at the server on the redirect and then send it to the client with your HTML. I think in your case a HTTP-only / signed cookie would be the best as it you would have access to it at any point from thereon and arguably easier to manage. In terms of security, that's too big a topic to cram into the comments as it depends on a variety of things, as a starter for 10 though here's some good tips on how to use a JWT.Alphaalphabet
Basically for my app, when the user directs to /login they are redirected to third party auth provider (SAML Idp) and they post back to an endpoint on my application. At the callback URL endpoint, I was setting headers, and I realize this is wrong. Instead, I should be returning token on the /login endpoint to the client-end. Keeping aside security, can the token be sent back to the user on the /login request as HTTP header. The client can parse header and access the info.Actaeon
Normally which field will be used to include JWT in Host JSON Response?Cancroid
@Alphaalphabet Custom header option is completely useless since the client can not read the headers set on redirect response. The redirects are handled by the browser and there is no way to control them with user/script actionsWoody

© 2022 - 2024 — McMap. All rights reserved.