I am wondering why I cannot find any AOR and passport auth code online? I found a ton of keystone and passport though... Is there a specific reason for that - the two should work well together, right?
You're right, there is no reason admin-on-rest would not work with passport -- however, there is a caveat:
It seems you are searching for a "passport + AOR" tutorial or guide, but one of the selling points of admin-on-rest is that it is truly agnostic to any authentication implementation. Therefore, you would implement a passport strategy of your choosing (jwt, oauth, http basic) within admin-on-rest's authClient.js
https://marmelab.com/admin-on-rest/Authentication.html
Related
I am new to Node Js and Currently working on a project with Express Js. I discover that User and can be achieved either through the Passport library or JSONWebTokens(JWT). So i was wondering which is the better option and why?
You can actually use them together. However, in short, passport is a module with many 'strategies' to help you authenticate users with multiple platforms. Passport-JWT is a strategy you could use as the auth strategy. This makes it easy when you use multiple ways to authenticate with your application. E.g. google, facebook, jwt, etc.
Just have some general questions about the level of security one can expect when using passport for an App's Authentication;
I am currently in the process of designing my first App using a MongoDB, Express, React and Node.js stack. Without having much prior knowledge about cyber security I have done quite a bit of research about authentication and what type of attacks can occur on my site. I have opted to use a cookie-based authentication system with the passport.js npm package and I have designed my /login route to require that the user's password and username first pass a passport.authenticate('local', ....) middleware setup before a session and cookie are created.
In order to persist the current user in my react app, I have a function which requests the server to provide it with the currently active passport session if there is one - and this seems to work as it will not maintain a login state if the user deletes the session cookie from their browser.
I am a bit skeptical of passport and I'm curious to know how easily it could be breached by someone who has a higher understanding of how it works, so the things I am wondering are several:
Is this type of authentication setup secure?
Are there any additional requirements that one must implement in order for passport to be a
legitimate method of authentication for an App?
Is using passport to authenticate users considered to be bad practice? Would showcasing an app that
authenticates users by using an npm package look bad if I were to showcase this application to a
potential employer?
I can share code if necessary to better illustrate my code setup, although I would prefer not to if at all possible. Any advice would be much appreciated, thanks!
TLDR:
Is passport.js a secure method to authenticate users? Is using passport.js for this bad practice?
Passport.js provides authentication, not security. It is fairly easy to misconfigure by following online tutorials, so take care - the tool is only as good as the hand it is in. To add security to passport, you will need at the very least three additional elements:
Strong state model for the session (or token) that does not leak private fields and uses argon2 for password hashing.
No mistakes on the front-end with CSRF or XSS.
Rate and buffer limitters on Node itself or, even better, on your reverse proxy.
I'm creating an API with graphql and Prisma and have been following this tutorial for tips and trix: https://www.howtographql.com/graphql-js/6-authentication/. When they reached authorization they opted not to use middleware like passport.js but instead wrote their own logic as you can see in the link. I'm simply wondering why and if this solution is lacking in a security perspective?
passport is really handy if you want to setup facebook, twitter and google auth. For simple password login just write your own functionality, it is simpel todo and gives you full control.
I'm building an API using Nodejs/express and exploring different ways to implement authentication/authorization.
I've come across two packages which seem to do similiar things:
Passport with jwt strategy
and
jsonwebtoken
I really don't understand the difference between the two, but passport seems a lot more complicated. I know these kind of questions generally don't fair well on stack-overflow but i genuinely don't understand the difference between the two but it seems passport is generally better received? Can somone explain whether or not these packages truly accomplish the same goal or if there's a reason to use one over the other?
Thanks.
Passport is "Passport is authentication middleware for Node.js. Extremely flexible and modular" as they say it has lot's of strategies among that passport-jwt is one.
What Passport did is they brought all the different strategies together like google-auth Facebook-authentication local-authentication and so on .
jsonwebtoken is a strategy same as passport-jwt but it is individual & passport is group of strategies .
In my opinion you should learn passport as learning it you can use all kinds of strategies.A strategy is type of authentication .
Pardon me for my english hope you get it
I was looking for a solid example or to be pointed in the right direction of how to simulate testing Passport-Facebook's login process. Completely clueless as where to start.
I'm open to any testing framework.
Best,
Austin
While Passport documentation provides a crude/basic example for use Passport-Facebook strategy
http://passportjs.org/docs/facebook
You may like to have a look at this tutorial from scoth.io for detailed example, it teaches you how to authenticate via facebook, twitter and google+ using Node.js and respective strategies. You'll have to follow the first two lessons to achieve your goal
https://scotch.io/tutorials/easy-node-authentication-setup-and-local