FeathersJS Auth Recipe: Create Endpoints with Mixed Auth

The Auk release of FeathersJS includes a powerful new authentication suite built on top of PassportJS. It can be customized to handle almost any app’s authentication requirements. In this guide, we’ll look at how to handle a fairly common auth scenario: Sometimes an endpoint needs to serve different information depending on whether the user is authenticated. An unauthenticated user might only see public records. An authenticated user might be able to see additional records.

Setup the Authentication Endpoint

To get started, we need a working authentication setup. Below is a default configuration and authentication.js. They contain the same code generated by the feathers-cli. You can create the below setup using the following terminal commands:

  1. npm install -g @feathersjs/cli
  2. mkdir feathers-demo-local; cd feathers-demo-local

    or a folder name you prefer.
  3. feathers generate app

    use the default prompts.
  4. feathers generate authentication
    • Select Username + Password (Local) when prompted for a provider.
    • Select the defaults for the remaining prompts.

config/default.json:

  1. {
  2.   "host": "localhost",
  3.   "port": 3030,
  4.   "public": "../public/",
  5.   "paginate": {
  6.     "default": 10,
  7.     "max": 50
  8.   },
  9.   "authentication": {
  10.     "secret": "99294186737032fedad37dc2e847912e1b9393f44a28101c986f6ba8b8bc0eaab48b5b4c5178f55164973c76f8f98f2523b860674f01c16a23239a2e7d7790ae9fa00b6de5cc0565e335c6f05f2e17fbee2e8ea0e82402959f1d58b2b2dc5272d09e0c1edf1d364e9911ecad8172bdc2d41381c9ab319de4979c243925c49165a9914471be0aa647896e981da5aec6801a6dccd1511da11b696d4f6cce3a4534dab9368661458a466661b1e12170ad21a4045ce1358138caf099fbc19e05532336b5626aa376bc158cf84c6a7e0e3dbbb3af666267c08de12217c9b55aea501e5c36011779ee9dd2e061d0523ddf71cb1d68f83ea5bb1299ca06003b77f0fc69",
  11.     "strategies": [
  12.       "jwt",
  13.       "local"
  14.     ],
  15.     "path": "/authentication",
  16.     "service": "users",
  17.     "jwt": {
  18.       "header": {
  19.         "typ": "access"
  20.       },
  21.       "audience": "https://yourdomain.com",
  22.       "subject": "anonymous",
  23.       "issuer": "feathers",
  24.       "algorithm": "HS256",
  25.       "expiresIn": "1d"
  26.     },
  27.     "local": {
  28.       "entity": "user",
  29.       "service": "users",
  30.       "usernameField": "email",
  31.       "passwordField": "password"
  32.     }
  33.   },
  34.   "nedb": "../data"
  35. }

src/authentication.js:

  1. 'use strict';
  3. const authentication = require('@feathersjs/authentication');
  4. const jwt = require('@feathersjs/authentication-jwt');
  5. const local = require('@feathersjs/authentication-local');
  7. module.exports = function () {
  8.   const app = this;
  9.   const config = app.get('authentication');
  11.   app.configure(authentication(config));
  12.   app.configure(jwt());
  13.   app.configure(local(config.local));
  15.   app.service('authentication').hooks({
  16.     before: {
  17.       create: [
  18.         authentication.hooks.authenticate(config.strategies)
  19.       ],
  20.       remove: [
  21.         authentication.hooks.authenticate('jwt')
  22.       ]
  23.     }
  24.   });
  25. };

Set up a “Mixed Auth” Endpoint

Now we need to setup an endpoint to handle both unauthenticated and authenticated users. For this example, we’ll use the /users service that was already created by the authentication generator. Let’s suppose that our application requires that each user record will contain a public boolean property. Each record will look something like this:

  1. {
  2.   id: 1,
  3.   email: 'my@email.com'
  4.   password: "password",
  5.   public: true
  6. }

If a user record contains public: true, then unauthenticated users should be able to access it. Let’s see how to use the iff and else conditional hooks from feathers-hooks-common to make this happen. Be sure to read the iff hook API docs and else hook API docs if you haven’t, yet.

We’re going to use the iff hook to authenticate users only if a token is in the request. The feathers-authentication-jwt plugin, which we used in src/authentication.js, includes a token extractor. If a request includes a token, it will automatically be available inside the context object at context.params.token.

src/services/users/users.hooks.js

(This example only shows the find method’s before hooks.)

  1. 'use strict';
  3. const { authenticate } = require('@feathersjs/authentication').hooks;
  4. const commonHooks = require('feathers-hooks-common');
  6. module.exports = {
  7.   before: {
  8.     find: [
  9.       // If a token was included, authenticate it with the `jwt` strategy.
  10.       commonHooks.iff(
  11.         context => context.params.token,
  12.         authenticate('jwt')
  13.       // No token was found, so limit the query to include `public: true`
  14.       ).else( context => Object.assign(context.params.query, { public: true }) )
  15.     ]
  16.   }
  17. };

Let’s break down the above example. We setup the find method of the /users service with an iff conditional before hook:

  1. iff(
  2.   context => context.params.token,
  3.   authenticate(‘jwt’)
  4. )

For this application, the above snippet is equivalent to the snippet, below.

  1. context => {
  2.   if (context.params.token) {
  3.     return authenticate(‘jwt’)
  4.   } else {
  5.     return Promise.resolve(context)
  6.   }
  7. }

The iff hook is actually more capable than the simple demonstration, above. It can handle an async predicate expression. This would be equivalent to being able to pass a promise inside the if statement’s parentheses. It also allows us to chain an .else() statement, which will run if the predicate evaluates to false.

  1. .else(
  2.   context => {
  3.     Object.assign(context.params.query, { public: true })
  4.     return context
  5.   )

The above statement simply adds public: true to the query parameters. This limits the query to only find user records that have the public property set to true.

Wrapping Up

With the above code, we’ve successfully setup a /users service that responds differently to unauthenticated and authenticated users. We used the context.params.token attribute to either authenticate a user or to limit the search query to only public users. If you become familiar with the Common Hooks API, you’ll be able to solve almost any authentication puzzle.