express-authentication
Unopinionated authentication for express; an alternative to passport.
Usage
If your needs are simple and you only have one kind of authentication you can use express-authentication
mixins trivially out of the box.
var express = authentication = app = ; app; app;
If you want to use more than one authentication middleware then use the magic of contextualization.
var express = authentication = app = ; var auth = ; // Authentication is just middleware! The middleware must just obey a few rules;// no need to include another library.var api = auth; var session = auth; var facebook = auth; // Allow session/api authentication to occur anywhere; that is to say someone// can provide credentials for either kind of authentication and they will be// accepted.app;app; // Only allow facebook authentication to occur at the /facebook location.app; // Ensure this route is only authenticated via sessionapp; // Allow anything to authenticate against this routeapp; // Invoke specific middleware when authentication either succeeds or fails// which is much more powerful than passports `redirect` ability.app;app;app; // Get authentication data from middleware itselfapp;
Mixins
- required - fail the route unless auth succeeded
- succeeded - continue middleware chain only if auth succeeded
- failed - continue middleware chain only if auth failed
- tried - continue middleware chain only if auth tried
- untried - continue middleware chain only if auth untried
Roll Your Own Middleware
// Authentication is just middleware! The middleware must just obey a few rules;// no need to include another library. { // provide the data that was used to authenticate the request; if this is // not set then no attempt to authenticate is registered. if no data is // provided but you still wish to register an authentication attempt, set // this to true. reqchallenge = req; // provide the result of the authentication; true if it succeeded, false // if it did not. reqauthenticated = reqauthentication === 'secret'; // provide the metadata of the authentication; generally some kind of user // object on success and some kind of error as to why authentication failed // otherwise. if reqauthenticated reqauthentication = user: 'bob' ; else reqauthentication = error: 'INVALID_API_KEY' ; // That's it! You're done! ;}; // Let everyone use it.moduleexports = api;
Make sure you include us in your keywords and mark which version of the API you are compatible with in your package.json
!
Differences to passport
Passport is very opinionated. Passport has more strategies available.
Passport loves sessions
express-authentication
an authentication framework; we don't touch your sessions. passport (although possible to use without) pretty much assumes you're going to be using session-based authentication.
Passport strategies must extend base class
Passport strategies must always inherit from a base Strategy
class; they are not middleware themselves.
passport
strategy:
// passport strategy { Strategy; thisname = 'session';}util; SessionStrategyprototype { // ...} moduleexports = SessionStrategy;
express-authentication
middleware:
module { // ...}
Passport delegation not possible
Authentication and actions from authentication results are tightly coupled in passport. It is not possible to delegate when authentication failure should occur.
passport
delegation:
// passport binds actionsapp;
express-authentication
delegation:
// express-authentication lets you do what you wantappapp