Setting Up Postman for API Testing When Using Passport Authorization

Question

I am a bit confused while trying to get Postman to work when testing the API of my application. Namely, I am using Passport authentication; however, I do not know which type it defaults to or uses in my code. How can I figure this out and which type should I choose in Postman?

Here is the relevant Passport code:

var login = require('./login');
var signup = require('./signup');
var User = require('../models/user');

module.exports = function(passport, path, nodemailer, sesTransport, EmailTemplate, templateDir, template){

    // Passport needs to be able to serialize and deserialize users to support persistent login sessions
    passport.serializeUser(function(user, done) {
        //console.log('serializing user: ');console.log(user);
        done(null, user._id);
    });

    passport.deserializeUser(function(id, done) {
        User.findById(id, function(err, user) {
            //console.log('deserializing user:',user);
            done(err, user);
        });
    });

    // Setting up Passport Strategies for Login and SignUp/Registration
    login(passport);
    signup(passport, path, nodemailer, sesTransport, EmailTemplate, templateDir, template);

}

Lastly, pretty much all of my API points only work when the user is logged in. How can I emulate the same behavior in Postman by saving the authorization credentials?

Edit:

Perhaps this code is relevant as well:


module.exports = function(passport){

    passport.use('login', new LocalStrategy({
            passReqToCallback : true,
            usernameField: 'email',
            passwordField: 'password'
        },
        function(req, username, password, done) { 
            // check in mongo if a user with username exists or not
            User.findOne({ 'email' :  username }, 
                function(err, user) {
                    // In case of any error, return using the done method
                    if (err)
                        return done(err);
                    // Username does not exist, log the error and redirect back
                    if (!user){
                        console.log('User Not Found with username '+username);
                        return done(null, false, req.flash('message', 'User Not found.'));                 
                    }
                    // User exists but wrong password, log the error 
                    if (!isValidPassword(user, password)){
                        console.log('Invalid Password');
                        return done(null, false, req.flash('message', 'Invalid Password')); // redirect back to login page
                    }
                    // User and password both match, return user from done method
                    // which will be treated like success
                    return done(null, user);
                }
            );

        })
    );


    var isValidPassword = function(user, password){
        return bCrypt.compareSync(password, user.password);
    }  
}

Answer 1

I don't have a code that runs local auth strategy but I think the following postman setup should work for you.

To request for an access token; assuming your endpoint is auth/local.

1. open up Postman
2. create a POST request
3. under authorization tab set "No Auth"
4. under body tab -> click on x-www-form-urlencoded
5. add a key named email and enter the user email
6. add a key named password and enter the associated secret for the email

See token request screenshot below:

The response will come back with an access_token.

To use the access_token simply create a HTTP request and in the HEADER tab, add the key Authorization followed by a value of "Bearer

See use token request screenshot:

Answer 2

I use this and it works fine in postman. After getting response of access token under the Authorization tab. select "Bearer Token" from "Type" drop-down. and Token with field will appear on right. enter the access token.

This works fine with Laravel REST APIs.

Check Screen Shot Postman Auth Token passing

Answer 3

What I did is. First send the login request thru postman. If you look in the response you should see a cookies tab. Copy the value of the cookie

Postman Picture

When you want to check the "protected" route in the headers you need to choose cookie and in value paste the value you have copied before.

Cookie Header

Answer 4

when we use passport js it stores the user information using sessions, there is a bug in express-session. so by using cookie-session it is solved ( for me ) because it gives a header parameter cookie, which we can use in postman for testing. when we are in the browser it automatically sets the cookies in the header but for the postman, we have manually do it. we will get the cookie info form req in express ex:

which we can use in postman like :