Google OAuth 2 with access control for Node Express app
Installation
This is a Node.js module available through the
npm registry. Installation is done using the
npm install
command:
$ npm install --save @reaktor/express-gauth
Usage
Simple Express app with access allowed only from two domains with Google auth
const express = require('express')
const session = require('express-session')
const { expressGAuth } = require('@reaktor/express-gauth')
const app = express()
const allowedLoginFromDomains = ['reaktor.fi', 'reaktor.com']
const myGauth = expressGAuth({
clientID: process.env.GOOGLE_CLIENT_ID,
clientSecret: process.env.GOOGLE_CLIENT_SECRET,
clientDomain: 'http://localhost:5555',
allowedDomains: allowedLoginFromDomains
})
app.use(session({
secret: 'lol',
resave: false,
saveUninitialized: true
}))
app.use(myGauth)
app.get('/', function(req, res) {
res.send(`
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Simple Express GAuth</title>
</head>
<body>
<h1>Hello Reaktorian ${req.user.displayName}!</h1>
</body>
</html>`)
})
app.listen(5555, function() {
console.log('Waiting for Reaktorian Google login at http://localhost:5555')
})
Using Access token
Full example
const app = express()
app.use(session())
const myGauth = expressGAuth({
googleAuthorizationParams: {
scope: ['profile', 'email']
},
})
app.use(myGauth)
app.get('/', function(req, res) {
const accessToken = req.session.passport.user.credentials.access_token
})
All config options
expressGAuth({
clientID: process.env.GOOGLE_CLIENT_ID,
clientSecret: process.env.GOOGLE_CLIENT_SECRET,
clientDomain: 'http://localhost:5555',
allowedDomains: ['reaktor.fi', 'reaktor.com'],
allowedEmails: ['john@example.com', 'jussi@example.com'],
publicEndPoints: ['/logout'],
ignoreUrlParamsOfPublicEndPoints: true,
unauthorizedUser: (req, res, next, user) => res.send(`<h1>Sorry ${user.displayName}, you has no access!</h1>`),
errorPassportAuth: (req, res, next, err) => res.send('<h1>Error logging in!</h1>'),
errorNoUser: (req, res, next) => res.send('<h1>Error logging in, no user details!</h1>'),
errorLogin: (req, res, next, err) => res.send('<h1>Login error in Express, this is odd!</h1>'),
serializeUser: (user, done) => done(null, user),
deserializeUser: (user, done) => done(null, user),
logger: {
log: function() {
console.log('mylog', new Date, JSON.stringify(arguments))
},
error: function() {
console.log('myerror', new Date, JSON.stringify(arguments))
}
},
googleAuthorizationParams: {
scope: ['profile', 'email'],
hostedDomain: 'reaktor.fi',
accessType: 'offline',
prompt: 'consent'
},
refreshBefore: 10
returnToOriginalUrl: false,
isReturnUrlAllowed: url => /\.(css|jpe?g|gif|ico|js|json|png|svg|woff2?)$/i.test(url) === false,
})
Full example
Version history
- 5.1.0 - Add optional stripping of url parameters to the publicEndPoints validation
- 5.0.0 - Fix vulnerability in the detection of the domain of the user email (see this article)
- 4.0.1 - Update documentation, fix badly typed logger prop in options
- 4.0.0 - BREAKING CHANGES: middleware constructor is now exported by name. Typescript typings added
- 3.0.0 - Support Google auth without Plus API. Possibly breaking changes, see this pull request.
- 2.5.0 - Make it possible to disallow return urls when using returnToOriginalUrl
- 2.4.0 - Use refresh token to refresh expiring access tokens
- 2.3.0 - Add option for redirecting user to original url
- 2.2.0 - Add profile.credentials which contains user's authorization tokens
- 2.1.0 - Allow overriding Google OAuth 2.0 authorization params
- 2.0.1 - Show dependency monitoring badge in NPM page.
- 2.0.0 - Usage as middleware. Also remove failing automatic redirect logic.
- 1.1.4 - Add package-lock.json and update deps
- 1.1.3 - Fix domain parsing when emnail has multiple @ characters
- 1.1.2 - Remove lodash dependency
- 1.1.1 - Prompt for Google account to enable account change
- 1.1.0 - ACL by individual email
- 1.0.0 - ACL by domains