1pass

English

한국어

English

한국어

Theme

Express.js

📋 Confidential client registration required

The code in this guide sends client_secret to /oauth/token (kept securely on the server). When you register the RP in the Developer Console, choose Client type: Confidential. For a Public/SPA client, follow the Public Clients guide and never put client_secret in client-side code.

js
import express from "express";
import crypto from "node:crypto";
import cookieParser from "cookie-parser";

const app = express();
app.use(cookieParser(process.env.COOKIE_SECRET));

const LOGI = process.env.LOGI_API_URL;
const CLIENT_ID = process.env.LOGI_CLIENT_ID;
const CLIENT_SECRET = process.env.LOGI_CLIENT_SECRET;
const REDIRECT = process.env.LOGI_REDIRECT_URI;

function b64url(buf) {
  return Buffer.from(buf).toString("base64url");
}

app.get("/auth/login", (req, res) => {
  const verifier = b64url(crypto.randomBytes(32));
  const challenge = b64url(crypto.createHash("sha256").update(verifier).digest());
  const state = b64url(crypto.randomBytes(16));

  res.cookie("logi_pkce", verifier, { httpOnly: true, secure: true, sameSite: "lax", maxAge: 600_000 });
  res.cookie("logi_state", state, { httpOnly: true, secure: true, sameSite: "lax", maxAge: 600_000 });

  const url = new URL(`${LOGI}/oauth/authorize`);
  url.searchParams.set("client_id", CLIENT_ID);
  url.searchParams.set("redirect_uri", REDIRECT);
  url.searchParams.set("response_type", "code");
  url.searchParams.set("scope", "openid profile:basic email");
  url.searchParams.set("state", state);
  url.searchParams.set("code_challenge", challenge);
  url.searchParams.set("code_challenge_method", "S256");
  res.redirect(url.toString());
});

app.get("/auth/callback", async (req, res) => {
  // Validate missing code/state — guards against malicious callback injection
  if (!req.query.code || !req.query.state) {
    return res.status(400).send("missing code or state");
  }
  if (req.query.state !== req.cookies.logi_state) return res.status(400).send("state mismatch");

  const tokens = await fetch(`${LOGI}/oauth/token`, {
    method: "POST",
    headers: { "Content-Type": "application/x-www-form-urlencoded" },
    body: new URLSearchParams({
      grant_type: "authorization_code",
      code: req.query.code,
      redirect_uri: REDIRECT,
      code_verifier: req.cookies.logi_pkce,
      client_id: CLIENT_ID,
      client_secret: CLIENT_SECRET,
    }),
  }).then(r => r.json());

  res.cookie("logi_rt", tokens.refresh_token, { httpOnly: true, secure: true, sameSite: "strict" });
  res.clearCookie("logi_pkce");
  res.clearCookie("logi_state");
  res.redirect("/");
});

Health check endpoint

This is the Express handler for the RP active health check protocol.

1. Env

bash
LOGI_CLIENT_ID=logi_xxxxxxxxxxxxxxxx
LOGI_RP_HEALTH_SECRET=<copy from the console>

2. Handler

js
import { createHmac, timingSafeEqual } from "node:crypto";

const MAX_SKEW = 300; // seconds

app.get("/.well-known/logi-rp-health", (req, res) => {
  // HTTP headers are case-insensitive — the code reads lower-case keys, but any case works when sending.
  const ts  = Number(req.get("x-logi-timestamp"));
  const cid = String(req.get("x-logi-client-id") || "");
  const sig = String(req.get("x-logi-signature") || "");

  if (!Number.isFinite(ts) || Math.abs(Date.now() / 1000 - ts) > MAX_SKEW) {
    return res.sendStatus(401);
  }
  if (cid !== process.env.LOGI_CLIENT_ID) {
    return res.sendStatus(401);
  }

  // HMAC-SHA256 hex is always 64 hex chars. Reject malformed input BEFORE
  // Buffer.from(..., "hex") — invalid hex decodes to a shorter buffer and
  // timingSafeEqual would throw on length mismatch (⇒ 500).
  if (!/^[0-9a-f]{64}$/i.test(sig)) {
    return res.sendStatus(401);
  }

  const expected = createHmac("sha256", process.env.LOGI_RP_HEALTH_SECRET || "")
    .update(`${ts}.${cid}`)
    .digest("hex");

  if (!timingSafeEqual(Buffer.from(sig, "hex"), Buffer.from(expected, "hex"))) {
    return res.sendStatus(401);
  }

  res.json({
    status: "ok",
    client_id: cid,
    timestamp: new Date().toISOString(),
    sdk_version: "logi-rp-integrate/1.0",
  });
});

3. Mount it on your app

If you split the handler above into its own router file, mount it with app.use; if you defined it directly on the same app, it works as-is.

js
// app.js (or server.js)
import logiHealthRouter from "./routes/logi-rp-health.js";
app.use(logiHealthRouter);
// Or, if you split out only the handler, mount it directly:
// app.get("/.well-known/logi-rp-health", logiHealthHandler);

Use the Express router pattern to mount it as shown above. If you split out only the handler, use the second form.

4. Enable it in the console

Developer Console → your app → RP active health check ON → Save → copy the secret into your env → redeploy → 🟢 appears on the card within an hour.

Identity가 제품의 신뢰를 만듭니다.

© 2026 Dcode Labs · logi by 1pass