lipp / login-with Goto Github PK
View Code? Open in Web Editor NEWStateless login-with microservice for OAuth
Home Page: https://login-with.com
License: MIT License
Stateless login-with microservice for OAuth
Home Page: https://login-with.com
License: MIT License
Hi there,
thanks for this awesome project!
I just noticed that if you use multiple subdomains (multi dot subdomains) like this one:
dev.login.mydomain.com
You will get a cookie for .login.mydomain.com
. I don't think this is intentional, since a cookie for .login.mydomain.com
is not really useful ;)
Extracting a multidot subdomain from a domain is not trivial, since there are TLDs (or second level domains) like co.uk
, that also contain a dot.
I googled around and found out that there is a public maintained list with all TLDs:
There are also tools that use the list to parse domain names, e.g.:
It looks like wrangr/psl
does not have any dependencies and might be save for use. It uses MIT license as well.
Thanks for doing this!
The API's return more data beyond username
, displayName
and photo
.
It would be nice to have that data together with the requests.
It's open-source and deployed on now.sh, so why is the _src
URL disabled?
To reproduce:
You'll get redirected to https://auth.login-with.com/reddit/callback with {"error":null,"user":false}
This is happening because in routes.js
here, both error
and user
are falsy and so it falls through to the res.json
at the end.
A solution here would probably be to change line 34 to if (error || !user)
- would you accept a PR for that? I'm not sure if this is happening for other providers, I've only tested with reddit.
Given a login-with instance how could an application request additional scopes for the authorisation request?
Should we allow this?
I work for a streaming site that has a lot of varied scopes, sometimes just having the user's record isn't enough.
I've taken a stab at this here: ProbablePrime@a6e0d30 but wanted to open an issue before the PR to see if this was something that would be welcome.
I wrote this on a Show HN about this, but was (correctly) called out for not opening an issue about that:
The information on
/login
should probably be on / so I can read somewhere what "Stateless authentication microservice" actually means.
Also maybe a sentence why this is neat and should be used...
Someone else wrote:
"Stateless authentication microservice" has only one possible meaning to me. Did you want to ask something more specific, or do you just not know what those (common) words mean?
reply
to which I then replied
The me it means... nothing specific.
It tells me that is has something to do with login, "without state" (whatever this means in this context) and that it is somehow not a "big service" but very "micro", so probably independent. Stateless and microservice can mean so many things.
So please take this as a bit of feedback: Not everyone really and fully understand the current description.
May you consider supporting the largest platforms in China?
Reference:
https://github.com/anerg2046/sns_auth
Microsoft login support would be awesome. A lot of people have Office365, and other MS services just like Google...
How do I pass the cert and key for https support. The example does not make this clear.
Hello!,
I want to test your oauth authentication using docker the thing is that i'm new into docker, i have red several docs but in the end i have no clue about which initial values do mandatory environment variables need in order to compile in terminal?
I need some guidance.
Here is my screen with my setup.
And here is the other screen with the terminal error.
it says cant find env variable, but i put it in my set up, please, help.
Not everyone knows what now
is. It would be great to have a link in the README.
Let the user configure, which meta data per strategy is included in jwt and/or profile cookie.
Maybe by using env variables LW_GOOGLE_JWT_META=email,hobby,animal
.
See also #36
This looks super great, thanks ๐
I want to migrate my app which has Facebook and email + password auth. Do you plan to add auth using email link and/or login/password?
It looks like the Google strategy sets both username
and name
to displayName. Shouldn't username
be the primary email address, or at least something unique?
https://github.com/lipp/login-with/blob/master/src/strategies/google.js#L23-L24
I think it's unsafe to leave sensitive data such as access tokens (in the case of Oauth2 like Google).
If an attacker is able to retrieve a cookie he can easily decode the JWT token and use the access token to issue arbitrary requests to the authentication provider APIs and retrieve any information that might have been originally granted to it by the user (e.g. read my Gmail emails...).
I think the point of this lib is to make this kind of authentication processes stateless (or backendless) and storing the access tokens directly in the cookie is an easy win. Anyway I would at least try to protect this sensitive data by applying some level of encryption, maybe a simple symmetric encryption, using the same secret used to generate the JWT token signature as key would enough...
I look forward to knowing the community thoughts on this matter
https://hub.docker.com/r/lipp/login-with/tags/ reads "Last pushed 5 months ago".
Could travis be used to push the latest master build to docker? Here's a guide on that: https://bhavik.io/2016/08/20/travis-ci-docker-image.html
I saw you using a no more mantained in-memory store module for the express-session.
I recommend switching to a fully-tested one, check it out: memorystore
The past couple of days it's just displayed:
Internal Server Error
The README says "Your Google Client ID" and "Your Google Client Secret" in the LinkedIn section.
Great work!
I tried this out on my local, and I don't see any cookies saved. I just see "{}" when I visit the "auth" endpoint. Everything seems to work, as I get redirected to Github's oauth page, and then back. Then, I tried it on your site, https://login-with.now.sh/login , and I see the same thing. Everything appears to work, and your app is my Github authorized Apps ( https://github.com/settings/applications ), along with my app. I did a console.log(user) under
onAuthenticationCallback: (req, res, next) => { const type = req.path.split('/')[1] passport.authenticate(type, (error, user) => {
and the user is there, in the format that is set up in github.js.
I tried a try/catch around the res.cookie section, and there were no exceptions.
Any ideas?
Vote this up to request the email to be included in the profile cookie.
Hello,
I have a simple question. Say I've logged in once and got a JWT, and then log in on another machine using the same social account. Maybe I'm mistaken, but I can't find any way to (easily) tell that both tokens belong to the same person since the provider ID doesn't seem to be stored in the token. So is there a way to identify a user without having to make a request to the provider API with the given access token?
I ran now lipp/login-with -e LW_SESSION_SECRET=... -e LW_JWT_SECRET=... -e LW_SUBDOMAIN=... -e LW_FACEBOOK_APPID=... -e FACEBOOK_APPSECRET=...
, but still got the error Error! No secret found by uid or name "lw-reddit-clientsecret"
(and the error changes every time). It looks like all env vars are required, even the optional ones?
Hi thanks for the app.
When I try to log into github on the demo application (https://login-with.now.sh/login) the server responds with:-
{"error":{"name":"AuthorizationError","message":"The redirect_uri MUST match the registered callback URL for this application.","code":"redirect_uri_mismatch","uri":"https://developer.github.com/v3/oauth/#redirect-uri-mismatch","status":500}}
If I wanted to request different scopes is it just better to fork and modify the strategies or is there another way that scope can be configured? I didn't seem to see anything in the code that suggested it would be configured by an environment variable, but that might make for a good feature?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.