stackoom
  简体   繁体   中英

Create vs Login when using Google oauth for access

 原文  2015-04-30 22:20:35       node.js/ passport.js/ google-oauth2

Question

I am currently trying to setup my server to allow users to login with google oauth 2.0.

I am using passport and passport-google-oauth.

Normal set up is something like:

var GoogleStrategy = require('passport-google-oauth').OAuth2Strategy; 

passport.use(new GoogleStrategy({
    clientID: GOOGLE_CLIENT_ID,
    clientSecret: GOOGLE_CLIENT_SECRET,
    callbackURL: "http://127.0.0.1:3000/auth/google/callback"
  },
  function(accessToken, refreshToken, profile, done) {
    User.findOrCreate({ googleId: profile.id }, function (err, user) {
      return done(err, user);
    });
  }
));

However what I really want is to still control access to my server after accounts are approved.

Meaning a user would first 'create' and account using google, then be able to signin once there account is approved.

I would really like there to be a signup route and login route: 

app.get('/auth/google/signup',
  passport.authenticate('google', { scope: ['profile', 'email'] }));

app.get('/auth/google',
  passport.authenticate('google', { scope: 'https://www.googleapis.com/auth/plus.login' }));

app.get('/auth/google/callback', 
  passport.authenticate('google', { failureRedirect: '/login' }),
  function(req, res) {
    // Successful authentication, redirect home.
    res.redirect('/');
  });

My problem is that when I get to the GoogleStrategy setup I don't really know which route they initially hit. IE if they hit the login route but had not created an account I do not want to create an account I want to warn them that they did not yet create an account. Had they hit the signup route and already had an account I would not want to create another account I would just tell them they already have an account.

Is there anyway in the GoogleStrategy that I can tell which route the user initially hit on my server?

2 answers

solution1
 0  2015-04-30 22:31:15

In your user model create the "approved" field, with default False (Boolean)

And you can check this field on the GoogleStrategy to restrict the access.

If you want to apply this on all Strategies you can filter on the serialization method in passport.

Hope it helps.

solution2
 0 ACCPTED  2015-06-05 00:41:51

You can pass a 'state' query parameter in your initial request that will be round-tripped back to your callback.

Documented here: https://developers.google.com/identity/protocols/OAuth2WebServer

state Any string Provides any state that might be useful to your application upon receipt of the response. The Google Authorization Server roundtrips this parameter, so your application receives the same value it sent. To mitigate against cross-site request forgery (CSRF), it is strongly recommended to include an anti-forgery token in the state, and confirm it in the response. See OpenID Connect for an example of how to do this.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to combine Json Web Token(JWT) and google oauth using passportjs, passport-google-oauth and node to create social login system? Unable to login with Google OAuth when deployed to Heroku Auto login while using passport-google-oauth20 OAuth 2 Login using Node.js and Google & Javascript How can I verify login using google api, oauth? Add Meteor login google oauth Google Login - 401 error “Login Required” when trying to access userinfo Google OAuth2 + react-google-login: "redirect_uri_mismatch" when trying to retrieve a refresh token Google OAuth2: "Error: No access, refresh token or API key is set" when trying to access Google Drive API OAuth access Jira with google token?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM