Support Passport about nextjs-starter HOT 6 CLOSED

I think throwing error for that would be enough to let developer handle it.

Hmm maybe that's a good idea - just explicitly throwing an error other than just glossing over with an inline @todo or @fixme note.

That would also discourage people from bypassing appropriate handling and accidentally creating security bugs (such as ones that would allow someone to hijack anther persons account), which was bugging me.

I can see some approach here https://github.com/kriasoft/nodejs-api-starter#features

The passport code in that project looks ideal - it's a better than what I currently have and is how I was was thinking of refactoring it (so the provider logic is more generic, making it easier to add providers).

As it's MIT I'll just adapt it and credit them.

I'll address this and issue #6 later this week, probably tomorrow. Thanks!

from nextjs-starter.

Hah, so I have a version locally that has passport support but trying to implement it in a way that doesn't over complicate the example for folks to the point where it's hard to follow the logic.

The biggest problem is showing an example that has best case handling for all the complex types of errors that can occur in corner cases (like people trying to sign in with say a Facebook account that has an email address associated with it that is already used on another account and how you resolve that).

I think I can come up with a nice way to separate the email, oauth and common session handling logic - maybe into ./routes/auth/email.js and ./routes/auth/oauth.js and shared session logic in ./routes/auth/index.js so shall look at doing that.

from nextjs-starter.

Hah, so I have a version locally that has passport support but trying to implement it in a way that doesn't over complicate the example for folks to the point where it's hard to follow the logic.

Working example is enough for me :)

The biggest problem is showing an example that has best case handling for all the complex types of errors that can occur in corner cases (like people trying to sign in with say a Facebook account that has an email address associated with it that is already used on another account and how you resolve that).

I think throwing error for that would be enough to let developer handle it.

I think I can come up with a nice way to separate the email, oauth and common session handling logic - maybe into ./routes/auth/email.js and ./routes/auth/oauth.js and shared session logic in ./routes/auth/index.js so shall look at doing that.

I can see some approach here https://github.com/kriasoft/nodejs-api-starter#features
And actually I want to merge it with your nextjs-starter and it maybe look like MEAN stack at the end but nextjs/apollo/passportjs.

What you think?

from nextjs-starter.

@iaincollins interesting you shall mention the problem with the corner cases - it is my opinion that these should be handled by a separate "user accounts" library. I've been working on such a library - ooth, that you can find described here: https://medium.com/the-ideal-system/ooth-user-accounts-for-node-js-93cfcd28ed1a#.97kyfg4xg and the repo is here https://github.com/nmaro/ooth

Some logic is already in place for it to be extensible with different passport-based strategies, while taking care that corner cases like you mention (registering with a strategy that comes with an existing email address). It runs as an independent microservice, which of course is ideal for integration with next.js.

I'm now trying to create an authentication example with next.js, and hoping to find good inspiration in this nextjs-starter project - it will be published here: https://github.com/nmaro/ooth/tree/master/examples/ooth-next

On the other hand, if you do like the idea, I'll be glad to do whatever is needed for ooth to be used as a library in this project.

from nextjs-starter.

I've now added Passport support to https://nextjs-starter.now.sh as of version 2.5.

• It uses Passport for oAuth, together with express-sessions (as before).
• There is support for Facebook, Google and Twitter+ oAuth and it's easy to add more (see AUTHENTICATION.md and routes/auth-passport.js).
• It uses the universal client/server session system (with CSRF tokens, XSS protection via HTTP Only cookies, the ORM layer that supports Mongo, SQL DBs, Redshift, etc.) as the email sign in uses.

If any modules get released that can help abstract auth further I'd be happy to look at integrating them if it reduces the amount of project specific code. I've long wanted something like that but I suspect it's a tall order, because of how tightly integrated some things need to be - and de-coupling often ends up meaning more code and more complexity.

That nodejs-api-starter from kriasoft was very useful, thanks for that @katopz! I've ended up using a modified version of the same approach.

Configuring the oAuth with Facebook and Google is a pain, but it's easiest with Twitter as it's much less strict. At least there is a working URL I can point to to prove it all works, I'm just hoping no-one asks for any support for it. :-)

from nextjs-starter.

@iaincollins Great job! I did some WIP here with dirty passport-facebook only while waiting, I'll try merge your code to see it blow up 🚀 weeee!

from nextjs-starter.