Instructor: To make it easier for us to see authentication and authorization failures inside Node.js, we're going to add a custom HTTP header to the default login form. Normally, Domino will return a HTTP 200, even though there's an authorization failure. This doesn't really help us in a Node.js application.
If we look inside the standard dollar-dollar login user form, you can see there's a computed value. This is the standard error message that gets returned to the user when there's an issue. We're going to reuse this code and add a new field to the form.
In this case, we're going to call it HTTP header. The key thing here is we will add a new line at the bottom, which will set the HTTP header, using the at-formula, @setHTTPHeader. At-formulas work fine in this instance, so let's use them.
I've called my header Domino authentication failure, and I pass it the error message. Let's see how we use that in the Node app. Here, we have an example notes application. I've set the ACL up with anonymous of no access, and the default also of no access.
In theory, if we hit this database in the browser, the standard login form will be presented to us to force a login. If we open our demo root database in the browser, if I try and do the open database, I get the standard login form being presented to me.
I just try that again. You can see, it says, "Please identify yourself," as the error message. If I look in the network tab, and I look specifically at the original call, if I look at the response header, you can see there's a new authentication failure response header with the message, "Please identify yourself."
If I attempt to enter a wrong username and password and hit sign in, then check again the response header, you see I now get, "You provided an invalid username or password," which is the same message up there. We can use this HTTP header in our Node application.
We've got our basic Node application here. It's using the Express framework, and we are using request-based promises. We're not using callbacks in this case. Our Node application is going to be acting as a proxy, and therefore all our web requests are going to come via the Node application.
Let's make a new demo root to get started. Our first root will be called demo. It's going to be a get request. We will be using the request-promise library to go to Domino and get some data. The first thing we're going to do is set up some options for our request object.
The first thing will be the URL to the notes application we're going to call. We're going to be using the Domino data service to get the data. Remember, this database is restricted access. We should be getting an error when we call to this database.
We're going to need access to the full response. We'll set that to true here as a property of the object. Then we'll call the request, passing it the options. As it's a promise, we then have to deal with the result. The first thing we're going to do is we're going to get the headers and the body from the response.
If we do get a Domino authentication failure, we will return an error message back to the browser. We do this using, and we'll set the status to 401, which is the standard HTTP authentication failure. We will return the error message, which has been set in the custom Domino authentication failure header.
Assuming we don't get an authentication failure, we will then just return back the body of data which we get from Domino. Finally, we also need to catch any errors. We will just return those back with the status code of the error we've got from Domino. That could be a 404, for instance.
Let's fire up the application and test it. To test our Node application, the first thing we're going to do is initially allow anonymous access to my database. I just want to make sure we can get data going through to the Node application.
I'm then going to go to the Node application and start it up by entering node server. It will start on port 8088. Now, if I go to the browser and hit our demo URL, we should get some data. Going to our browser, entering the URL, localhost 8088, and the root was demo.
We get some data back from Domino. Just to make sure, we look at the HTTP headers. Yes, we are getting this via the Express server, not via Domino. Next, we'll put the security back on, go back to our browser, hit the root again.
This time, we get a 401, with the error message coming from Domino of, "Please identify yourself." Looking on the network tab, and we can see, it's come from Express, but it's actually 401-authorized, which has come back from Domino.