Strategy.prototype.authenticate = function(req) {
var self = this;
var cas = new CAS(self.options);
var ticket = req.param('ticket');
if (!ticket) {
// If there is no CAS ticket, invoke the redirect to the CAS login
// page as configured by the tenant administrator
var redirectUrl = url.parse(self.options.casBase + self.options.loginPath, true);
redirectUrl.query.service = self.options.service;
if (self.options.allow) {
redirectUrl.query.allow = self.options.allow;
}
return self.redirect(url.format(redirectUrl));
}
// If we have a ticket in the parameters, we try to validate it
cas.validate(ticket, function(err, loggedIn, casResponse) {
if (err) {
return self.error(err);
} else if (!loggedIn) {
// The CAS server thinks this is an invalid token. This means the user
// is probably tampering with the request token
return self.fail('Invalid token', 401);
}
// This `self.verify` invocation calls into the `init.js` file of the CAS
// strategy plugin to fetch or create the user
self.verify(casResponse, function(err, user) {
if (err) {
return self.error(new Error(err.msg));
}
// By this point, the user has been retrieved (or created). We pass it
// on to passport so eventually `req.logIn` will be invoked in the
// `AuthenticationUtil.handleExternalCallback` method. We pass the user
// back as the user rather than the authObj (i.e., `{'user': user}`)
// because `AuthenticationUtil.handleExternalCallback` will take care
// of wrapping the session user. This is no different than how providers
// such as Google or Twitter would work.
return self.success(user);
});
});
};
Strategy.prototype.authenticate = function(req) {
var self = this;
var cas = new CAS(self.options);
var ticket = req.param('ticket');
if (ticket) {
// If we have a ticket in the parameters, we try to validate it.
cas.validate(ticket, function(err, loggedIn, casResponse) {
if (err) {
return self.error(err);
} else if (loggedIn) {
// Call the user-provided verify method which checks
// (or creates) the user.
self.verify(casResponse, function(err, user) {
if (err) {
return self.error(new Error(err.msg));
}
// By this point, the user has been retrieved (or created)
// We pass it on to passport so it can be stored in the express
// session object.
AuthenticationUtil.logAuthenticationSuccess(req, user, self.name);
self.success(user);
});
} else {
// The CAS server thinks this is an invalid token.
// This means the user is probably tampering with
// the request token.
return self.fail('Invalid token', 401);
}
});
} else {
// No ticket, redirect to cas login
var redirectUrl = url.parse(self.options.casBase + self.options.loginPath, true);
redirectUrl.query.service = self.options.service;
if (self.options.allow) {
redirectUrl.query.allow = self.options.allow;
}
self.redirect(url.format(redirectUrl));
}
};
app.get('/login', function(req, res){
var ticket = req.param('ticket');
if (ticket) {
// If we have a ticket in the parameters, we try to validate it.
cas.validate(ticket, function(err, loggedIn, casResponse) {
if (loggedIn) {
success(res, casResponse.user);
} else {
// The CAS server thinks this is an invalid token.
return res.send(401, 'Invalid token');
}
});
} else {
// No ticket, redirect to cas login
var redirectUrl = url.parse(config.cas.casHost +
config.cas.casBasePath + config.cas.loginPath, true);
redirectUrl.query.service = config.cas.service;
if (config.cas.allow) {
redirectUrl.query.allow = config.cas.allow;
}
res.redirect(url.format(redirectUrl));
}
});