npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@reaktor/express-gauth

v5.1.2

Published

Simplified GAuth login for Express with ACLs

Downloads

35

Readme

Google OAuth 2 with access control for Node Express app

Greenkeeper badge

Installation

This is a Node.js module available through the npm registry. Installation is done using the npm install command:

$ npm install --save @reaktor/express-gauth

Usage

Simple Express app with access allowed only from two domains with Google auth

const express = require('express')
const session = require('express-session')
const { expressGAuth } = require('@reaktor/express-gauth')
const app = express()
const allowedLoginFromDomains = ['reaktor.fi', 'reaktor.com']
// Initialize Google auth middleware. You need your Google app id and secret.
const myGauth = expressGAuth({
  clientID: process.env.GOOGLE_CLIENT_ID,
  clientSecret: process.env.GOOGLE_CLIENT_SECRET,
  clientDomain: 'http://localhost:5555',
  allowedDomains: allowedLoginFromDomains
})

// Session must be initialized first
app.use(session({
  secret: 'lol',
  resave: false,
  saveUninitialized: true
}))

// Use your configured gauth middleware
app.use(myGauth)

app.get('/', function(req, res) {
  res.send(`
    <!DOCTYPE html>
      <html lang="en">
        <head>
          <meta charset="UTF-8">
          <title>Simple Express GAuth</title>
        </head>
        <body>
          <h1>Hello Reaktorian ${req.user.displayName}!</h1>
        </body>
      </html>`)
})

app.listen(5555, function() {
  console.log('Waiting for Reaktorian Google login at http://localhost:5555')
})

Using Access token

Full example

  const app = express()
  app.use(session(/* options */))
  const myGauth = expressGAuth({
    googleAuthorizationParams: {
      scope: ['profile', 'email']
    },
    // Other gauth options
  })
  app.use(myGauth)
  app.get('/', function(req, res) {
    const accessToken = req.session.passport.user.credentials.access_token
    // Access private files with Google API using the access token
  })

All config options

expressGAuth({
  clientID: process.env.GOOGLE_CLIENT_ID,
  clientSecret: process.env.GOOGLE_CLIENT_SECRET,
  clientDomain: 'http://localhost:5555',
  allowedDomains: ['reaktor.fi', 'reaktor.com'], // User needs to login with Google and email with these domains.
  allowedEmails: ['[email protected]', '[email protected]'], // These users are allowed login through Google auth.
  publicEndPoints: ['/logout'], // These end points do not require any authentication.
  ignoreUrlParamsOfPublicEndPoints: true, // Before validating url to match one of the publicEndPoints, the url parameters are stripped away
  unauthorizedUser: (req, res, next, user) => res.send(`<h1>Sorry ${user.displayName}, you has no access!</h1>`),
  errorPassportAuth: (req, res, next, err) => res.send('<h1>Error logging in!</h1>'),
  errorNoUser: (req, res, next) => res.send('<h1>Error logging in, no user details!</h1>'),
  errorLogin: (req, res, next, err) => res.send('<h1>Login error in Express, this is odd!</h1>'),
  serializeUser: (user, done) => done(null, user),
  deserializeUser: (user, done) => done(null, user),
  logger: {
    log: function() {
      console.log('mylog', new Date, JSON.stringify(arguments))
    },
    error: function() {
      console.log('myerror', new Date, JSON.stringify(arguments))
    }
  },
  // Override default authorization params
  // List of supported params are available in passport-google-oauth2 source
  // https://github.com/jaredhanson/passport-google-oauth2/blob/master/lib/strategy.js
  // https://developers.google.com/identity/protocols/OpenIDConnect#authenticationuriparameters
  googleAuthorizationParams: {
    scope: ['profile', 'email'],
    hostedDomain: 'reaktor.fi',
    // To gain refreshable tokens
    accessType: 'offline',
    // This forces Google to send refresh tokens on each session start
    // By default Google sends refresh token only once per authentication to Google
    prompt: 'consent'
  },
  // Time in seconds to refresh access token before it expires
  refreshBefore: 10
  // Redirect user to the original url
  returnToOriginalUrl: false,
  // originalUrl will be set as the return url only if returnToOriginalUrl is true,
  // and the originalUrl passes this predicate
  isReturnUrlAllowed: url => /\.(css|jpe?g|gif|ico|js|json|png|svg|woff2?)$/i.test(url) === false,
})

Full example

Version history

  • 5.1.0 - Add optional stripping of url parameters to the publicEndPoints validation
  • 5.0.0 - Fix vulnerability in the detection of the domain of the user email (see this article)
  • 4.0.1 - Update documentation, fix badly typed logger prop in options
  • 4.0.0 - BREAKING CHANGES: middleware constructor is now exported by name. Typescript typings added
  • 3.0.0 - Support Google auth without Plus API. Possibly breaking changes, see this pull request.
  • 2.5.0 - Make it possible to disallow return urls when using returnToOriginalUrl
  • 2.4.0 - Use refresh token to refresh expiring access tokens
  • 2.3.0 - Add option for redirecting user to original url
  • 2.2.0 - Add profile.credentials which contains user's authorization tokens
  • 2.1.0 - Allow overriding Google OAuth 2.0 authorization params
  • 2.0.1 - Show dependency monitoring badge in NPM page.
  • 2.0.0 - Usage as middleware. Also remove failing automatic redirect logic.
  • 1.1.4 - Add package-lock.json and update deps
  • 1.1.3 - Fix domain parsing when emnail has multiple @ characters
  • 1.1.2 - Remove lodash dependency
  • 1.1.1 - Prompt for Google account to enable account change
  • 1.1.0 - ACL by individual email
  • 1.0.0 - ACL by domains