How to use traditional sessions in Feathers js - node.js

Feathers auth provides only JWT authentication, even if strategy is local.
Should I make full custom middleware for express-session usage and clean passport implimentation just to achive regular sessions behaviour or there's some solutions for this purpose?
Also, I want to use passport.socketio for autheticate sockets aswell.

Using Feathers authentication module is entirely optional and you can always register your own middleware at any point like before and after a service. This means you can set up a normal Express session setup and then set req.feathers to the information from the session that you also want to pass to Feathers services (like the user). As you mentioned, you will have to do the same thing with websockets (which also allow setting handshake.feathers in its middleware).
A full tutorial how to set up sessions and using authentication can be found in the Using A View engine cookbook documentation.

Related

Which is more advisable to use in NodeJs, Passport or JWT and why?

I am new to Node Js and Currently working on a project with Express Js. I discover that User and can be achieved either through the Passport library or JSONWebTokens(JWT). So i was wondering which is the better option and why?
You can actually use them together. However, in short, passport is a module with many 'strategies' to help you authenticate users with multiple platforms. Passport-JWT is a strategy you could use as the auth strategy. This makes it easy when you use multiple ways to authenticate with your application. E.g. google, facebook, jwt, etc.

Nodejs user profiles and sessions

The goal is to build a user profile system for my web application. A user would be able to login, maintain a session and see his profile. After reading various tutorials online about how to do this, I feel a bit lost. Everyone uses different libraries and as someone new to web development, it's not clear what each library does. I've seen the following libraries used, can someone explain the flow of user-profile interactions and where each library comes in?
passport
passport-local
bcrypt-nodejs
connect-flash
express-session
jsonwebtoken
express-jwt
morgan
cookie-parser
One way to start your learning can be at:
https://www.youtube.com/watch?v=Z1ktxiqyiLA
There I learned how to use the most of plugins from your question.
Ok so about the plugins:
passport passport is a node.js plugin which is used usually with express that works as a middleware responsible for the authorization and authentication
passport-local - is a plugin for passport, more technically a strategy of authentication which usually is used with a database or configuration file.
bcrypt-nodejs is used usually for crypting the passwords in the database (but it is much more powerfull than that), is not cool to save password in plain text.
connect-flash - is used for flash messages that appears on a page "The user was successfully added", "Invalid user credentials", or any other success or error messages that you want to display on a page.
express-session - is an express middleware which is responsible to store the user session.
jsonwebtoken - jwt is used to create a token which you will use to identify if an user was authenticated or not.
express-jwt - an express middleware for jsonwebtoken
cookie-parser - an express middleware to parse cookies
morgan - just a log-ing service.
Ok so you should understand a bit of theory here:
passport with passport-local strategy is a statefull authentication mechanism which is supposed to save if the user is authenicated or not in a session, if you restart the node.js server if you did not persist your sessions in a third party service as a database/file etc... you will lose the sessions.
jsonwebtoken is a stateless authentication mechanism, you do not need to save anything on your server only the "secret key". Stateless architecture has some cool pros as it promotes horizontal scalability you can have endless nodes which will know how to parse the sended token and understand if the user is logged in or not. Lately I go with jwt as authentication.

Share session between two node apps

I have a node application that's using passport-local-mongoose for authentication. I have a second node app that's served in an iframe of the first app. I'd like to protect the express routes in the second app with the same session of the first app so that the user only logs in once, but the express routes in the second app are still protected. Is there a way for the two node apps to share a session? Or perhaps there is another approach?
Thank you.
The easiest way I can think of would be to simply store sessions in MongoDB. Then your second app's middleware could check the session passed in the request against the same database. The downside of this approach is that you have to implement some of the same authentication logic in 2 places.
Perhaps even better, you could build a 3rd microservice that handles authentication specifically. That would basically wrap your session store and centralize the authentication logic in one place. Both of the other 2 apps would then consume this service. This is an area I'm still learning about personally, and this site has been helpful: https://dejanglozic.com/2014/10/07/sharing-micro-service-authentication-using-nginx-passport-and-redis/.

Should I consolidate session management using Sails.js and Stormpath?

I'm investigating using Stormpath for our user Management.
I currently have a Sails.js application which uses Node.js / Express.js. Currently, session management is handled by the default Sails.js framework, which relies heavily on Express' session middleware.
Sessions are stored in a shared Redis database on production so that we can keep our multiple API servers stateless.
My question is will the two session management systems conflict and/or cause bugs? Do they have to be consolidated or can we safely keep them separate? if they have to be combined, how do you configure the middleware?
As a note we won't be storing much user data on Stormpath, we'll only be using them as a auth/token provider.
Thanks for the help!
I'm the author of the express-stormpath library, which is what I'm assuming you're evaluating.
You can indeed use your own sessions in addition to the stormpath ones. The way it works is like so:
Stormpath uses req.session to store a stormpathSession cookie. Any other cookies you create / store, will be handled by you completely.
It should work nicely with whatever session library you choose =)

CSRF token in Express with session disabled (REST)

I am trying to implement CSRF protection in my express application. The application is meant to be RESTfull, so I am not using session.
I have tried to use csurf npm module but as far as I have understood this module's description, I need to use session. I might turn session on, but I think I should not do it since application should be RESTfull.
Is there any CSRF implementation for express that does not force developer to use session mechanism?

Resources