i'm trying to implement a login system with username/email in passport.js, i have read online that the local strategy is generally not secure, but after searching online i couldn't find any resource that could help me make it more secure.
i'm not sure if this's even possible, but i thought maybe i could use two strategies to work together, i thought that might give my application more security, like use local strategy with cookie strategy together for example, is this approach possible? if so, does it provide extra security and how do i implement the two together?
if such thing is not the best idea, how do i make authentication with local strategy a secure option? i'm planning on implementing other strategies like passport-google-oauth and such, but right now i want to include the username/email login in my application nonetheless, any help is appreciated, thanks in advance.
I'm designing my user authentication system using Node.js/Express, and as I've been searching the web for authentication strategies, I noticed that a lot of developers recommend passport.js for helping with authentication.
My authentication will only ever use a username/password strategy with JSON web tokens. Under that assumption, it seems like I have to manage the entire authentication myself: I check the username and password against the database, and I check and attach JWTs. It seems like Passport only wraps my work inside it's own functions.
With only a username/password strategy, what use is Passport? What does Passport provide in this scenario that is of any real benefit over me just performing the authentication without it?
Passport give you more flexibility and scalability. Now, you need one specific strategy, but in future you can add additional or remove old one. Using modules like passport you cause that your application code is independent of some processes. It is almost like dependency injection, you inject strategy in opposite to hardcode this.
I thing, that good application should have as much as possible functions/modules, that allow to inject polices/strategies. Separate modules is also nodejs/express style.
If you code your authentication in same style, then it is super (but why reinventing the wheel).
Using passport you can inherit from base Strategy and create new one strictly for your needs and use it with other strategies.
Never. Ever. Implement. Your. Own. Security. Framework
Unless you actually want to implement a framework and you have all the resources in the world to do that, all the required knowledge and the key people ( like OWASP ) & etc etc.
Use existing lib for your project
Use a library, or a framework, that's open source and battle tested. Yes it will not be perfect and will have limitations. Yes it may not be the most secure code ever. BUT it will be much better than your own, especially if you're starting from scratch.
Then follow best practices for CSRF, XSS, DDoS & other kind of attack prevention.
I've developped a REST based service using Express and initially started implementing authentication myself. A simple username/password authentication where
passwords are encrypted using BCrypt
user info + hashed passwords are stored in a mongoDB
password verification checks are done.
authentication tokens (limited TTL) are generated / validated
I have some knowledge on Node.JS, but not nearly sufficient to make me feel comfortable about rolling out my own authentication (login/signup) mechanism.
For that reason I would like to replace my in-house mechanism with something else.
Something proven, extendable, pluggable and easy to use.
Given the amount of secure websites / REST APIs out there based on Node.JS, I'm sure there are out-of-the box solutions that people / companies have to offer that can get service implementors up and running very quickly, without having to worry about the security/user aspect.
I'm looking for an even higher level of abstraction than that of libraries like passport or everyauth. Something that provides out-of-the-box functionality, capable of fulfilling my requirements including :
providing a login page / signup page / profile page
different authentication modules (google,facebook,github,....)
storing user info (+credentials if required) in a datastore (mongoDB).
remember me
forgot password / reset password
So the question here is :
Are there out-of-the-box solutions like that available that offer a higher level of abstraction than passport/everyauth/... ?
If any, would you recommend some of these out-the-box solutions ?
Should I instead forget about the notion of outsourcing my user authentication and just start looking at passport and everyauth and start implementing my requirements using those libraries ?
Is it possible to focus on my business logic and not worry at all about any aspect regarding user authentication (writing login / signup pages , implementing forgot password / reset password flows, storing user info in the DB).
The service API should largely live independent of your authentication mechanism, so I'd recommend starting this behind a simple password protected folder or some such. In my opinion it would be better to make sure you're API works and can gain traction. Meaning it'll be more a long term project. Nothing kills a project quicker than focusing on the painful stuff right out of the box.
As far as what service to use? It's non-trivial to setup security well. So for a small startup project, it's probably more cost-effective to integrate with another service. Might take a look at Mozilla Persona. It's built on Node and pretty straight forward.
If you do try to roll your own get some outside expertise, and DON'T do stupid stuff like use a hashing algorithm like SHA1 to store passwords. Instead use something like bcrypt. Then there are other things like, don't store server logs on the server they're created. Pipe out all logs elsewhere so if there's an intrusion you have a forensics trail back to what happened.
I guess you could use https://stormpath.com/ . I'm looking for a free alternative myself..
Everyauth and Passport.js seem to have very similar feature sets. What are some of the positive and negative comparisons between the two that would make me want to use one over the other?
Chiming in with my two cents, as the developer of Passport.
Before developing Passport, I evaluated everyauth and determined that it didn't meet my requirements. So, I set about implementing a different solution which would. The major points I wanted to address are:
Idiomatic Node.js
everyauth makes extensive use of promises, instead of Node's approach of using callbacks and closures. Promises are an alternative approach to async programming. While useful in some high-level situations, I wasn't comfortable with an authentication library forcing this choice upon my application.
Furthermore, I find that proper use of callbacks and closures yields concise, well architected (almost functional style) code. Much of the power of Node itself comes from this fact, and Passport follows suit.
Modular
Passport employs a strategy design pattern to define a clear separation of concerns between the core module and various authentication mechanisms. This has a number of benefits, including smaller overall code size and well defined and testable interfaces.
For a basic illustration, compare the difference between running $ npm install passport and $ npm install everyauth. Passport lets you craft your application using only the dependencies you actually need.
This modular architecture has proven itself adaptable, facilitating a community that has implemented support for a wide variety of authentication mechanisms, including OpenID, OAuth, BrowserID, SAML, etc.
Flexible
Passport is just middleware, using the fn(req, res, next) convention established by Connect and Express.
This means that there are no surprises, as you define where you want your routes and when you want to use authentication. There are also no dependencies on a specific framework. People are successfully using Passport with other frameworks such as Flatiron
In contrast, any module in everyauth can insert routes into your application. This can make debugging difficult, as it is non-obvious how a route will be dispatched and leads to tight coupling with a specific framework.
Passport also errors in a way that is entirely conventional, next-ing to error-handling middleware as defined by Express.
In contrast, everyauth has its own conventions, which don't fit the problem space well, causing long-standing open issues such as #36
API Authentication
The crowning achievement of any authentication library is its ability to handle API authentication as elegantly as web-based sign on.
I won't elaborate much on this point. However, I encourage people to look into Passport's sibling projects, OAuthorize and OAuth2orize. Using these projects, you can implement "full-stack" authentication, for both HTML/session-based web apps and API clients.
Reliable
Finally, authentication is a critical component of an application, and one you want to be fully comfortable relying on. everyauth has a long list of issues many of which remain open and resurface over time. In my opinion, this is due to low unit test coverage, which itself suggests that the internal interfaces in everyauth are not suitably defined.
In contrast, Passport's interfaces and its strategies are well-defined and extensively covered by unit tests. Issues filed against Passport tend to mostly be minor feature requests, rather than bugs relating to authentication.
Despite being a younger project, this level of quality suggests a more mature solution that is easier to maintain and trust going forward.
Passport
modular and transparent
good docs
community contributions (owing to it's modularity)
works with everyone and their dog (again, owing to it's modularity)
Everyauth
long development history, mature.
no longer maintained
great docs
works with a wide range of services
Just finished changing from everyauth to passport. The reasons were the following.
Everyauth is not stable enough. The final straw was last week I got bitten by a mysterious issue where facebook authentication would work on local.host and on the production environment, but not in my test environment on heroku, even with identical code and databases and a new heroku app instance. At that point I ran out of theories as to how to isolate the issue, so removing everyauth was the logical next step.
The way it provides support for standard authentication using username/password credentials is not easily integrated with a single page web app approach.
I was unable to get everyauth to work with Google accounts.
Active development of everyauth seems on the decline.
The port was surprisingly painless, only taking a few hours, including manual testing.
So obviously, I recommend going for passport.
I tried out Everyauth first and have since gone to Passport. It struck me as somewhat more flexible, esp. if (for example) I need different logic for different providers. It also makes it easier (imo) to configure custom auth strategies. On the other hand, it doesn't have the view helpers, if those are important to you.
This answers a bit late, but I found this thread and (after hearing all of the negative feedback about Everyauth) decided to use Passport ... and then hated it. It was opaque, only worked as middleware (you couldn't authenticate from a GraphQL endpoint, for instance), and I hit more than one hard to debug bug (eg. How do I have two Express sessions?).
So I went looking and found https://github.com/jed/authom. For my needs this is a much better library! It's a bit lower-level than the other two libraries, so you have to do things like putting the user into the session yourself ... but that's only one line so it's really no big deal.
More importantly its design gives you a lot more control, making it easy to implement your authorization the way you want and not the way Passport intended. Plus, compared to Passport it's a lot simpler and easier to learn.
I used to use Everyauth more specifically mongoose-auth. I found it hard to split up my files properly without dismantling the everyauth module. Passport in my opinion is a cleaner method for creating logins. There is a write up that I found very helpful http://rckbt.me/2012/03/transitioning-from-mongoose-auth-to-passport/
Note the date of this post, it will indicate how relevant this post is.
In my experience, Everyauth didn't work out of the box with it's password login style. I am using express3 and I declare my middleware like so app.use(everyauth.middleware(app)); and it still wasn't passing in the everyauth local to my template. The last git commit was a year ago and I figure new packages have broken everyauth. Now I'm going to try passport.
I'm working on a web site and I plan to use strictly OAuth in for user authentication. I've never implemented session management/user authentication before; and so - naturally - I'm reading up on a lot of how tos to get this done.
The problem I'm running into is that a lot of examples out there for doing things like setting up your realm, authenticator, etc etc seem to rely on the user/password paradigm for authentication. The whole point of going for OAuth is to avoid this in the first place!
That being said; I'm actually not looking for examples of full OAuth implementations right now. I understand that I need to understand that for myself. BUT with a future OAuth implementation in mind; how should I structure my user authentication/session management FOR THE TIME BEING in a way that will allow me to move forward on developing the functionality on my site that I really care about? I suppose I could throw some stuff together for that; but I'm just afraid that down the road I will be shoe horning an OAuth implementation as opposed to do something now which allows me to lay down the basic framework for it and then move on to other things.
So; does anyone know of a good example of laying the groundwork for OAuth on Tomcat 7? For example, which authentication mechanism (Basic, digest, etc) I should use or how I should represent user credentials in my database?
I know that this is kind of a vague question; so I'm not expecting someone to come out and tell me all of the answers I need to know. I'm just looking to get pointed in the right direction here.
Perhaps Spring Security would be useful? Your webapp could leverage Spring Security and use whatever login mechanism you need (i.e., you could do the default form-based authentication or Basic Auth for now, and replace the login/auth piece with an OAuth implementation when you're ready), but still have Spring Security manage authorization to particular resources in your webapp.
Someone has also built OAuth for Spring Security, so it may be a useful addition to your web app all around.