我正在构建一个使用facebook进行身份验证的REST-api,我认为与平台无关的最佳解决方案是让客户端处理从facebook检索auth-token然后使用它进行身份验证,以保持API尽可能干净。
这一切都可能吗?
答案 0 :(得分:1)
You can use passport-facebook-token strategy instead of passport-facebook.
In this way you can get the token on the client-side and send it to the application using:
app.post('/auth/facebook/token',
passport.authenticate('facebook-token'),
function(req, res) {
// do something with req.user
res.send(req.user ? 200 : 401);
}
);
With the code above you can pass the token using a query parameter like GET /auth/facebook/token?access_token=<TOKEN_HERE>, putting on the HTTP header access_token or in the request body.