Passport strategy for authenticating with Xapo access tokens using the OAuth 2.0 API.
This module lets you authenticate using Xapo in your Node.js applications. By plugging into Passport, Xapo authentication can be easily and unobtrusively integrated into any application or framework that supports Connect-style middleware, including Express.
$ npm install passport-xapo
Before using passport-xapo
, you must register an application with
Xapo. If you have not already done so, a new application can be created at
Xapo Developers. Your application will
be issued a client ID and client secret, which need to be provided to the strategy.
You will also need to configure a redirect URI which matches the route in your
application.
The Xapo authentication strategy authenticates users using a Xapo
account and OAuth 2.0 tokens. The strategy requires a verify
callback, which
accepts these credentials and calls done
providing a user, as well as
options
specifying a client ID, client secret and callback URL.
const XapoStrategy = require('passport-xapo')
passport.use(new XapoStrategy({
clientID: XAPO_CLIENT_ID,
clientSecret: XAPO_CLIENT_SECRET,
callbackURL: 'https://www.example.net/auth/example/callback',
}, (accessToken, refreshToken, profile, done) => {
User.findOrCreate({ xapoId: profile.id }, (err, user) => {
return done(err, user)
})
}
))
Use passport.authenticate()
, specifying the 'xapo'
strategy, to authenticate requests. The permissions can be requested via the scope
option.
NOTE: You need to provide the 'users'
scope to be able to retrieve the user's profile otherwise the library will throw an error
app.get('/auth/xapo',
passport.authenticate('xapo', { scope: ['users'] })
);
app.get('/auth/xapo/callback',
passport.authenticate('xapo', { failureRedirect: '/login' }),
(req, res) => {
// Successful authentication, redirect home.
res.redirect('/');
}
);
Clients can send requests to routes that use passport-xapo authentication using query params, body, or HTTP headers. Clients will need to transmit the access_token
and optionally the refresh_token
that are received from xapo after login.
GET /auth/xapo?access_token=<ACCESS_TOKEN>
Clients can choose to send the access token using the Oauth2 Bearer token (RFC 6750) compliant format
GET /auth/xapo HTTP/1.1
Host: server.example.com
Authorization: Bearer <BASE64_ACCESS_TOKEN_STRING>
optionally a client can send via a custom (default access_token) header
GET /auth/xapo HTTP/1.1
Host: server.example.com
access_token: <BASE64_ACCESS_TOKEN_STRING>
Clients can transmit the access token via the body
POST /auth/xapo HTTP/1.1
Host: server.example.com
access_token=<BASE64_ACCESS_TOKEN_STRING>
Licensed under the MIT License, Copyright © 2017 Airfill Prepaid AB.
See LICENSE for more information.