UNPKG

simple-google-openid

Version:

A simple library for using Google as the authenticator of your application's users.

github.com/jacekkopecky/node-simple-google-openid

jacekkopecky/node-simple-google-openid

305 lines (218 loc) 8.9 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
# node-simple-google-openid This is a simple library providing two Express.js middlewares for using Google as the authenticator of your application's users. All authentication workflows are done in the client's browser; to authenticate with a server, the browser sends a [JSON Web Token](https://tools.ietf.org/html/rfc7519) to your server's API. In the server, this package will add `req.user` structured like a [Passport User Profile](http://passportjs.org/docs/profile). This package makes use of [Google Auth Library](https://github.com/google/google-auth-library-nodejs). ### Status - works for me, does what I need - let me know if it doesn't work for you or if you'd like any new functionality # Installation ```bash npm install simple-google-openid ``` # Usage ## Express middleware for authentication First, this package provides an Express.js _middleware_ that will take an ID token from the URL query (parameter `id_token`) or from a bearer token (HTTP header `Authorization: Bearer TOKEN`). To add the middleware to your app, you need to give it your CLIENT_ID (see [Create a Google Developers Console project and client ID](https://developers.google.com/identity/sign-in/web/devconsole-project)). A full working example is included below. ```javascript const GoogleAuth = require('simple-google-openid'); … app.use(GoogleAuth(CLIENT_ID)); ``` If an ID token is found and successfully parsed, the middleware will add `req.user` like [Passport User Profile](http://passportjs.org/docs/profile). ## How to require authentication To require authentication for a part of your app (e.g. `/api/*`), you can use the `guardMiddleware`; this will ensure that the app returns 401 Unauthorized on requests without an authentication token. ```javascript app.use('/api', GoogleAuth.guardMiddleware()); ``` **This package does not provide any authorization – `guardMiddleware` lets in any signed-in Google user. Your app needs to provide authorization logic.** ## Use outside of Express.js To get a token from the `Authorization` header in an HTTP request, you can use the `getAuthToken()` function: ```javascript const token = getAuthToken(req); ``` Then to verify it, read on. ## Verifying tokens If you get ID tokens with `getAuthToken()` or some other way outside of the `Authorization` header (e.g. as part of WebSocket messages), you can verify them and get the user information using the `verifyToken()` function that returns a Promise. Using await/async: ```javascript const auth = GoogleAuth(CLIENT_ID); … const token = ...; // get token from somewhere const user = await auth.verifyToken(token); if (!user) ...; // token was not valid (e.g. expired) ``` Using `.then()`: ```javascript const auth = GoogleAuth(CLIENT_ID); … const token = ...; // get token from somewhere auth.verifyToken(token) .then((user) => { if (!user) ...; // token was not valid (e.g. expired) }); ``` ## Minimal skeleton of an authenticated web page Here's what we need to do in a web page to get the user authenticated. This follows a guide from Google: [Integrating Google Sign-In into your web app](https://developers.google.com/identity/sign-in/web/sign-in). A full working example is included further down on this page. ```html <!doctype html> <title>TITLE</title> <!-- this loads google libraries --> <script src="https://apis.google.com/js/platform.js" async defer></script> <meta name="google-signin-client_id" content="CLIENT_ID"> <!-- this puts a sign-in button, and a sign-out link, in the page --> <div class="g-signin2" data-onsuccess="onSignIn"></div> <p><a href="#" onclick="signOut();">Sign out</a></p> <!-- this shows how the page can use the information of the authenticated user --> <script> function onSignIn(googleUser) { // do something with the user profile } async function signOut() { await gapi.auth2.getAuthInstance().signOut(); // update your page to show the user's logged out, or redirect elsewhere } // example that uses a server API and passes it a bearer token async function callServer() { const id_token = gapi.auth2.getAuthInstance().currentUser.get().getAuthResponse().id_token; const fetchOptions = { credentials: 'same-origin', method: 'GET', headers: { 'Authorization': 'Bearer ' + id_token }, }; const response = await fetch(API_ENDPOINT_URL, fetchOptions); if (!response.ok) { // handle the error return; } // handle the response } // see the complete example below for an extra function that refreshes the token when the computer wakes up from a sleep </script> ``` # Example Here's a full working example. First, the server that implements an API that needs to securely know users' email addresses; second, the client side. ## Server-side A full working server (`server.js`) follows: ```javascript const express = require('express'); const app = express(); const GoogleAuth = require('simple-google-openid'); // you can put your client ID here app.use(GoogleAuth(process.env.GOOGLE_CLIENT_ID)); // return 'Not authorized' if we don't have a user app.use('/api', GoogleAuth.guardMiddleware()); app.get('/api/hello', (req, res) => { res.send('Hello ' + (req.user.displayName || 'user without a name') + '!'); console.log('successful authenticated request by ' + req.user.emails[0].value); }); // this will serve the HTML file shown below app.use(express.static('static')); const PORT = process.env.PORT || 8080; app.listen(PORT, () => { console.log(`Example app listening on port ${PORT}!`); }); ``` Save this file as `server.js` and run it with your client ID like this: ```bash npm init -y npm install express simple-google-openid GOOGLE_CLIENT_ID='XXXX...' node server.js ``` ## Client-side – the web page in a browser Now let's make a Web page (`static/index.html`) that authenticates with Google and uses the API above. Save this file in `static/index.html`, start the server above, and go to [http://localhost:8080/](http://localhost:8080/). This follows a guide from Google: [Integrating Google Sign-In into your web app](https://developers.google.com/identity/sign-in/web/sign-in). Don't forget to replace `CLIENT_ID` (on line 4) with your own client ID. ```html <!doctype html> <title>Simple Google Auth test</title> <script src="https://apis.google.com/js/platform.js" async defer></script> <meta name="google-signin-client_id" content="CLIENT_ID"> <h1>Simple Google Auth test <span id="greeting"></span></h1> <p>Press the button below to sign in:</p> <div class="g-signin2" data-onsuccess="onSignIn" data-theme="dark"></div> <p><a href="#" onclick="signOut();">Sign out</a></p> <p>Below is the response from the server API: <button onclick="callServer()">refresh</button> <pre id="server-response" style="border: 1px dashed black; min-width: 10em; min-height: 1em; padding: .5em;"></pre> <script> function onSignIn(googleUser) { const profile = googleUser.getBasicProfile(); const el = document.getElementById('greeting'); el.textContent = '– Hello ' + profile.getName() + '!'; setTimeout(callServer, 100); } async function signOut() { await gapi.auth2.getAuthInstance().signOut(); console.log('User signed out.'); const el = document.getElementById('greeting'); el.textContent = 'Bye!'; } async function callServer() { const token = gapi.auth2.getAuthInstance().currentUser.get().getAuthResponse().id_token; const el = document.getElementById('server-response'); el.textContent = 'loading…'; const fetchOptions = { credentials: 'same-origin', method: 'GET', headers: { 'Authorization': 'Bearer ' + token }, }; const response = await fetch('/api/hello', fetchOptions); if (!response.ok) { // handle the error el.textContent = "Server error:\n" + response.status; return; } // handle the response const data = await response.text(); console.log('setting text content: ' + data); el.textContent = data; } // react to computer sleeps, get a new token; gapi doesn't do this reliably // adapted from http://stackoverflow.com/questions/4079115/can-any-desktop-browsers-detect-when-the-computer-resumes-from-sleep/4080174#4080174 (function () { const CHECK_DELAY = 2000; let lastTime = Date.now(); setInterval(() => { const currentTime = Date.now(); if (currentTime > (lastTime + CHECK_DELAY*2)) { // ignore small delays gapi.auth2.getAuthInstance().currentUser.get().reloadAuthResponse(); } lastTime = currentTime; }, CHECK_DELAY); }()); </script> ``` # Logging To enable logging into console output, set the environment variable DEBUG to a non-empty string. # TODO * tokens might be retrieved from POSTed form data as well, maybe * use https://www.npmjs.com/package/express-bearer-token * tests # Author Jacek Kopecky # License This project is licensed under the MIT license. See the [LICENSE](LICENSE) file for more info.