适用于Passport的Tencent QQ登录认证策略。
$ npm install passport-tqq
passport.use(new TqqStrategy({
clientID: QQ_APP_ID,
clientSecret: QQ_APP_KEY,
callbackURL: "http://localhost:3000/auth/qq/callback"
},
function(accessToken, refreshToken, profile, done) {
User.findOrCreate({ qqId: profile.id }, function (err, user) {
return done(err, user);
});
}
));
// QQ登录认证时 `state` 为必填参数
// 系client端的状态值,用于第三方应用防止CSRF攻击,成功授权后回调时会原样带回
app.get('/auth/qq', function (req, res, next) {
req.session = req.session || {};
req.session.authState = crypto.createHash('sha1')
.update(-(new Date()) + '')
.digest('hex');
passport
.authenticate('qq', {
state: req.session.authState
})(req, res, next);
});
app.get('/auth/qq/callback', function (req, res, next) {
// 通过比较认证返回的`state`状态值与服务器端`session`中的`state`状态值
// 决定是否继续本次授权
if(req.session && req.session.authState
&& req.session.authState === req.query.state) {
passport
.authenticate('qq', {
failureRedirect: '/login'
})(req, res, next);
} else {
return next(new Error('Auth State Mismatch'));
}
},
function(req, res) {
res.redirect('/');
});
可以配置用户授权时向用户显示的可进行授权的列表。
app.get('/auth/qq',
passport.authenticate('qq', {
state: 'random state value',
scope: ['get_user_info', 'list_album']
}));
见 https://github.com/heroicyang/passport-tqq/tree/master/example
Copyright (c) 2011-2013 Heroic Yang <http://heroicyang.com/>