Ask user to complete registration after social login through Passport

Question

I wonder what is the best practice to ask the user for more information to complete registration after social login with Passport. I am currently able to successfully sign in a user through Twitter, and my callback route '/auth/twitter/callback' is successfully called. However, at this point I'm presenting a form to ask them for a few more pieces of information. My problem is that at this point the req.IsAuthenticated() returns true already, while I'd rather set IsAuthenticated manually only after they complete the registration, not just as soon as the twitter callback is called. Any suggestions?

Answer 1

There are a few ways you can achieve what you want to do and from my point of view fiddling around with req.isAuthenticated() is not the best. I recommend the following approaches.

Method 1

In addition to req.isAuthenticated() put a new condition to check whether the user completed registration or not i.e. user.completedRegistration() where completedRegistration() is a function that checks either mongodb or some other logic to decide yes or not. Sample as follow:

var isAuthenticated = function (req, res, next) {
  if (req.isAuthenticated() && user.completedRegistration()) {
    //user is both authenticated registered.
    return next();
  } else if (req.isAuthenticated() && !user.completedRegistration()) {
    //user is only authenticated, need to fill the form.
    res.redirect('/to/the/view/that/have/registration/form'); 
  } else {
    // user needs to login
    res.redirect('/map/to/the/login/route/handler');
  }
}

You obviously will use the isAuthenticated in your routes, as follow:

// secure GET route
  router.get('/secure/api/create', isAuthenticated, function(req, res) {
    //return some secure view
  }); 

user.completedRegistration() could be a function that queries, the mongodb for the logged in user using the logged in user id (twitter id) and check if a particular field is set. You set this field when the user register otherwise by default it can be false.

Method 2

Depending on ordering of your configs in the app.js every request runs the deserializeUser as shown below:

passport.deserializeUser(function(id, done) {
   User.findById(id, function(err, user) {
      console.log('deserializing user:',user);
         done(err, user);
      });
 });

Which takes the id of the logged in user from req object and retrieves the user from mongodb and populate more information about user in the req object. You can tweak this method to User.find using not only id of the user but, a field that shows whether the user is registered or not. Obviously you need to set the field in the mongodb user object and the User model.

Method 3

Leave alone the passport related configs, write your own checks in the router level to check whether the logged in user is registered or not. You can do this using the following steps:

1. User access certain route and you make sure that he/she is authenticated
2. You retrieve the id of the logged in user
3. You check mongodb or mysql or redis or whatever other logic that you can implement to decide whether the user with this id has completed registration or not
4. If not then you redirect the user to a registration page, if yes then you let the user's request be served normally.

To obtain the id of the logged in user, you can check the req.user field. As shown in the following function, I have implemented twitter, facebook and local and hence all my checks.

function getCurrentLoggedInUserId(req, callback) {
  console.log('FUNC getCurrentLoggedInUserId');

  var userId = "ghost";
  if(req.user) {
    if(req.user.local != undefined && req.user.local.email != undefined) {
      userId = req.user.local.email;
    } else if(req.user.fb != undefined && req.user.fb.id != undefined) {
      userId = req.user.fb.id;
    } else if(req.user.twitter != undefined && req.user.twitter.id != undefined) {
      userId = req.user.twitter.id;
    }
    callback(null, userId);
  } else {
    callback(null, userId);
  }
}

There are many other ways to achieve what you have asked for in here but, you need to do some reading on the express app combined with passport work and then you will get an understanding of where to intercept the user requests and which approach suits you best.