The goal is to build a user profile system for my web application. A user would be able to login, maintain a session and see his profile. After reading various tutorials online about how to do this, I feel a bit lost. Everyone uses different libraries and as someone new to web development, it's not clear what each library does. I've seen the following libraries used, can someone explain the flow of user-profile interactions and where each library comes in?
passport
passport-local
bcrypt-nodejs
connect-flash
express-session
jsonwebtoken
express-jwt
morgan
cookie-parser
One way to start your learning can be at:
https://www.youtube.com/watch?v=Z1ktxiqyiLA
There I learned how to use the most of plugins from your question.
Ok so about the plugins:
passport passport is a node.js plugin which is used usually with express that works as a middleware responsible for the authorization and authentication
passport-local - is a plugin for passport, more technically a strategy of authentication which usually is used with a database or configuration file.
bcrypt-nodejs is used usually for crypting the passwords in the database (but it is much more powerfull than that), is not cool to save password in plain text.
connect-flash - is used for flash messages that appears on a page "The user was successfully added", "Invalid user credentials", or any other success or error messages that you want to display on a page.
express-session - is an express middleware which is responsible to store the user session.
jsonwebtoken - jwt is used to create a token which you will use to identify if an user was authenticated or not.
express-jwt - an express middleware for jsonwebtoken
cookie-parser - an express middleware to parse cookies
morgan - just a log-ing service.
Ok so you should understand a bit of theory here:
passport with passport-local strategy is a statefull authentication mechanism which is supposed to save if the user is authenicated or not in a session, if you restart the node.js server if you did not persist your sessions in a third party service as a database/file etc... you will lose the sessions.
jsonwebtoken is a stateless authentication mechanism, you do not need to save anything on your server only the "secret key". Stateless architecture has some cool pros as it promotes horizontal scalability you can have endless nodes which will know how to parse the sended token and understand if the user is logged in or not. Lately I go with jwt as authentication.
Related
Just have some general questions about the level of security one can expect when using passport for an App's Authentication;
I am currently in the process of designing my first App using a MongoDB, Express, React and Node.js stack. Without having much prior knowledge about cyber security I have done quite a bit of research about authentication and what type of attacks can occur on my site. I have opted to use a cookie-based authentication system with the passport.js npm package and I have designed my /login route to require that the user's password and username first pass a passport.authenticate('local', ....) middleware setup before a session and cookie are created.
In order to persist the current user in my react app, I have a function which requests the server to provide it with the currently active passport session if there is one - and this seems to work as it will not maintain a login state if the user deletes the session cookie from their browser.
I am a bit skeptical of passport and I'm curious to know how easily it could be breached by someone who has a higher understanding of how it works, so the things I am wondering are several:
Is this type of authentication setup secure?
Are there any additional requirements that one must implement in order for passport to be a
legitimate method of authentication for an App?
Is using passport to authenticate users considered to be bad practice? Would showcasing an app that
authenticates users by using an npm package look bad if I were to showcase this application to a
potential employer?
I can share code if necessary to better illustrate my code setup, although I would prefer not to if at all possible. Any advice would be much appreciated, thanks!
TLDR:
Is passport.js a secure method to authenticate users? Is using passport.js for this bad practice?
Passport.js provides authentication, not security. It is fairly easy to misconfigure by following online tutorials, so take care - the tool is only as good as the hand it is in. To add security to passport, you will need at the very least three additional elements:
Strong state model for the session (or token) that does not leak private fields and uses argon2 for password hashing.
No mistakes on the front-end with CSRF or XSS.
Rate and buffer limitters on Node itself or, even better, on your reverse proxy.
Feathers auth provides only JWT authentication, even if strategy is local.
Should I make full custom middleware for express-session usage and clean passport implimentation just to achive regular sessions behaviour or there's some solutions for this purpose?
Also, I want to use passport.socketio for autheticate sockets aswell.
Using Feathers authentication module is entirely optional and you can always register your own middleware at any point like before and after a service. This means you can set up a normal Express session setup and then set req.feathers to the information from the session that you also want to pass to Feathers services (like the user). As you mentioned, you will have to do the same thing with websockets (which also allow setting handshake.feathers in its middleware).
A full tutorial how to set up sessions and using authentication can be found in the Using A View engine cookbook documentation.
I am currently developing an application using a MERN stack, and I'd like to have authentication for it as well. However, before I just install PassportJS, I'd like to know how I should approach authentication. Should my client-side send my server a POST request with the email address in plaintext in the POST body? Should it encrypt it beforehand? Do I store the encrypted email address in MongoDB, or the plaintext version? I'm not asking for the best practice, but rather the approaches that could be taken given my current stack. I would like to understand this without just installing a package and calling the job done.
You have to use the middleware of passport inside your routes before calling your custom callback and defines passport with the great configuration
I tried to implement TwitterStrategy like it's done with Facebook in:
Token based, sessionless auth using express and passport
But express still wants me to use session middleware:
{"message":"OAuthStrategy requires session support. Did you forget app.use(express.session(...))?"
Can someone provide a detailed example?
From Passport twitter middleware issue reported earlier on gihub
Any OAuth 1.0 strategy requires sessions. OAuth 2 requires it if state is enabled (which is highly recommended).
A temporary secret is stored in the session to prevent cross site scripting attacks.
I'm new to Node, Passport and authentication in web development in general
I followed this tutorial for setting up local authentication using the Passport module.
I was hoping an experienced developer could comment on the security of the design being taught there.
More specifically,
1) When the author does a POST for sending credentials, shouldn't he be doing it over HTTPS? When is it necessary to use HTTPS so that others aren't sniffing your information? How could the design be changed to POST using HTTPS?
2) I can't follow how session is being kept track of. Does passport abstract all of the session work? If so, are they using cookies? Are the cookies plaintext? Does the user get a token back in a cookie? Is that how isLoggedIn() works?
3) Is he getting any protection from content injection for free? I don't see any code to try and escape dangerous characters or anything.
Anyway, how hacker safe is this design?