Getting started with server-side and especially Node.js. Stumbled upon this authentications framework called Passport.js, built specifically for Node. Would someone take the liberty to explain this Authentication Middleware thing to me? In layman's terms, if possible. Thanks ;)
Authentication Middleware is any number of authentication-related functions that are executed prior to passing the request to its final route. For example, any routes requiring the user to be logged in would run Authentication Middleware before serving the resource.
Related
Just have some general questions about the level of security one can expect when using passport for an App's Authentication;
I am currently in the process of designing my first App using a MongoDB, Express, React and Node.js stack. Without having much prior knowledge about cyber security I have done quite a bit of research about authentication and what type of attacks can occur on my site. I have opted to use a cookie-based authentication system with the passport.js npm package and I have designed my /login route to require that the user's password and username first pass a passport.authenticate('local', ....) middleware setup before a session and cookie are created.
In order to persist the current user in my react app, I have a function which requests the server to provide it with the currently active passport session if there is one - and this seems to work as it will not maintain a login state if the user deletes the session cookie from their browser.
I am a bit skeptical of passport and I'm curious to know how easily it could be breached by someone who has a higher understanding of how it works, so the things I am wondering are several:
Is this type of authentication setup secure?
Are there any additional requirements that one must implement in order for passport to be a
legitimate method of authentication for an App?
Is using passport to authenticate users considered to be bad practice? Would showcasing an app that
authenticates users by using an npm package look bad if I were to showcase this application to a
potential employer?
I can share code if necessary to better illustrate my code setup, although I would prefer not to if at all possible. Any advice would be much appreciated, thanks!
TLDR:
Is passport.js a secure method to authenticate users? Is using passport.js for this bad practice?
Passport.js provides authentication, not security. It is fairly easy to misconfigure by following online tutorials, so take care - the tool is only as good as the hand it is in. To add security to passport, you will need at the very least three additional elements:
Strong state model for the session (or token) that does not leak private fields and uses argon2 for password hashing.
No mistakes on the front-end with CSRF or XSS.
Rate and buffer limitters on Node itself or, even better, on your reverse proxy.
I'm relatively new to the modern JavaScript web development world. I've built a very simple Node/Express back-end and a separate React front-end. My vague plan is to have users that will have permission to access certain areas of the front-end, and then have the front-end make requests to the back-end. Can the front-end and back-end share the same authentication/authorization scheme? Can they both use something like Auth0? How can I make these two secure?
I'm a little stuck and would appreciate any advice or a nudge in the right direction. I'm mostly stuck because these are two separate applications but the same "user" would technically have permissions to certain React views as well as certain Express endpoints - how they moosh together?
Thanks.
Although seems not directly related to your topic, but I would actually suggest you try Meteor if you are not planning to immediately start working on large projects (not pressing too hard on scalability).
Meteor has a builtin support for Accounts and interacts with MongoDB nicely, and it also has its own DDP protocol that simplifies API call massively. It also interacts nicely with React.
If you think Meteor might not be a good choice for yourself, you could still learn from its design policies of authorization, etc. It has quite a bit package source code that are not too difficult to understand, and should be helpful for you to learn the basic idea. (Actually, Meteor's Accounts package already implements the basic idea mentioned by another answerer, you can learn from its design principles)
When users log in to your site, issue them with an access token that they keep client side. On front-end, check if user has token and correct permissions before rendering components. On back-end, send the token as request headers to the endpoints.
I have implemented a similar case, but with the spring boot kotlin at the backend instead. My solution is using JWT token to validate the authentication and authorization.
User logins by input login form and send POST method to backend via a REST API.Backend validates credential and returns the JWT token including encrypted user_role, expiration date, etc... if valid or 403 exception
Front-end decodes the JWT (using jwt-decode lib or something else),
save it to validate the access permission to specific page in the
website based on user_role. Eg: role='ADMIN' can access to admin dashboard page, role='USER' can access user profile page, etc.
If you use express as the backend, I suggest to use the feathersjs. It has backend solutions for this and an optional front end version. Refer: https://docs.feathersjs.com/api/authentication/jwt.html
Secure Front end (React.js) and Back end (Node.js/Express Rest API) with Keycloak follow this
I am currently developing an application using a MERN stack, and I'd like to have authentication for it as well. However, before I just install PassportJS, I'd like to know how I should approach authentication. Should my client-side send my server a POST request with the email address in plaintext in the POST body? Should it encrypt it beforehand? Do I store the encrypted email address in MongoDB, or the plaintext version? I'm not asking for the best practice, but rather the approaches that could be taken given my current stack. I would like to understand this without just installing a package and calling the job done.
You have to use the middleware of passport inside your routes before calling your custom callback and defines passport with the great configuration
I'm writing my first Express NodeJS app and I want to know what is the best practice when it comes to authentication middlewares?
I'm using access tokens and cookies (which are composed from user id and some random bytes) for each new user, and for some routes I want only given users to have access to it.
Is a good idea to access database from a middleware? Or where should I check if a given user has access to a given resource?
Thank you!
There are many modules built for authentication purpose for nodejs applications. However, the most commonly used module for nodejs/expressjs is Passport. If you wish to stay isolated from such libraries, nodejs has built-in libraries for encryption etc, for example, check this out.
For sessions and cookies, using signed cookies is always a good practice. Check out this SO post. There are many good practices for maintaining security (say, using https over http, token based authentication, etc.) followed throughout the development grounds, which you'll learn as you go on. Here is a short tutorial of JWT(JSON Web Tokens) for a good introduction to token based authentication in JSON you can check out.
Happy coding :)
I'm tackling the design of my first API and am struggling somewhat with authorisation concepts - I was hoping some kind people could give me some advice!
What I'm building:
An API that will eventually be accessed by third party apps and a mobile app.
A web-based 'client' (first-party single page app) that will use the API. (Should this first-party app be 'a part' of the API, or a completely separate node app?)
Technology I plan to use:
Node
Express
Passport
Mongodb with Mongoose
I'm not wed to express or passport, they just seem like the best options and are well documented - bit I wouldn't want a potential solution to be dismissed because of alternative dependencies. Same with Mongoose, I actually prefer the look of Monk (or even just Mongojs), but every tut seems to use mongoose, so seems like the safest option for a node beginner.
Authenticating a user is simple enough (I've gone through the fantastic Beer Locker tutorial), what I'm struggling with is ongoing authorisation. Naturally I don't want the user to have to input a username and password with every request they make - should this information be stored locally and sent with every request? (if so, how? I can't find any info on handling an API with a session) or should I be working with tokens of some sort? The small amount of reading I did on 'Digest' authorisation (including the Beer Locker tutorial follow-up) made it seem like it had security issues, at least with the Passport implementation (this I don't fully understand, but seems to relate to hashing passwords, which passport doesn't do as standard, and only MD5 is supported even if it's added?).
I have built a working API that I can authorise with 'Basic' (directly, through Postman), so I have the foundations in place - authorisation works, I just need the tools to take that to the next step and add sessions into the mix!
I've been trying to get my head around this for a couple of days now, but I fear I'm too stuck in a more traditional local web-app workflow - the whole API thing is throwing me somewhat.
Any help is hugely appreciated, even if it's just pointing me at an appropriate tutorial - the above set of requirements must be quite common!
I have come accross this problem too...
I can only recommend doing this for the beginning:
http://scotch.io/tutorials/javascript/easy-node-authentication-setup-and-local
tell me if it helped :)
As I understand you have done the authentication and the only thing you have to do now is store somewhere that the current user is authenticated, his name, roles etc to use later with other requests. In the Passport you will do it in the function callback (instead of the "If this function gets called..." comment).
Now you have to decide, you have two options:
Store the user information (name, roles etc.) on your server (in a session) and give the user some long code which will identify his session for the next requests
to store the information on your server you may use for example the express-session middleware
it would be probably best to save the session identifier in a cookie, but read some security issues before
Give the user something that would prove to you he/she is authenticated and which name, roles etc. he/she has
you can generate a token, that contains the user information (name, roles etc.) that the user will send with every request. to know this token is legit, you will have to sign it. more on this is on jwt.io and you can use express-jwt middleware.
you dont have to care about storage of session with this one
the token can be placed to a cookie too, but same security issues apply. it is still considered better that localstorage (more here)