I've built a Node.js API that use Passport for authentication.
Once a user is authenticated he can access to the web services with the BearerStrategy.
Now, I'd like to create a chat and allow access to authenticated users only. I found only one solution dealing with token : jsonwebtoken and I'd like to know if there is a way to use Passport to do that. Specially because I already implemented the Passport Bearer strategy.
Thanks
Related
When a user logs in, I store the login variable in redux but when we hit the api request then firstly react.js checks the authentication using redux if loggedin then the node.js checks the authentication and returns the api.
Isn't it unnecessary using authentication on both sides? Why can't I just use authentication on server side only?
Your thoughts please on what should I follow.
I think you need not to authenticate both side. You have to just send token in headers (authentication) of every API and create middleware for authenticate user for API in nodejs.
there are multiple ways to implement authentication in you're front end projects though the most common way to do this is by using JWT (json web tokens) however for using this type of authentication you need to implement OAuth, OpenID connect or similar authentication service on you're backend .
ps: I recommend storing you're login credentials in cookies
I did jwt authentication in my previous projects but never worked with oauth/passport auth before..
it's been 3 days i have been learning about passport strategies and i have implemented google+ strategy.
I got new project and this project requires to let users signup/signin themselves with google or facebook or with signup-form using firstName, lastName, phone number and password..
Very briefly in jwt server sends a token to the client and then client sends that particular token in the request header back to server to have access to protected routes.
In passport google strategy a cookie is saved in the browser and is send to server on each request.
What i think is
i cant use two different approaches in one project.. like if i use jwt for signup form and cookie for google strategy how am i gonna protect my routes then? with token in headers or with cookie in browser
Now my question is
how can i use both in the same project?
In google strategy should i generate jwt (token) for client in serializeUser() or somewhere else or what else is possible?
Or should i save jwt token in a browser cookie like passport?
I presented things very briefly, i hope you get it what i'm trying to do here
i cant use two different approaches in one project.. like if i use jwt for signup form and cookie for google strategy how am i gonna protect my routes then? with token in headers or with cookie in browser
You can. Cookie is just a transport mechanism for data between your browser and the server. You can store anything in it (up to allowed size limit) meaning that you can store JWT in a cookie (rather common practice especially for server side rendered single page apps).
You don't even have to develop a custom solution because this is already provided by passport in passport-jwt.
In the scenario where you require to signup the user using predefined fields you could use something known as Local Strategy which is present in passport.passport-local
I'm currently building a simple Express API with a user authentication and some data to be stored. Right now in production I'm using passport-local authentication and a cookie session to authenticate users, but I heard that in production that is not really good.
Why are other authentication methods better and which authentication would be save, stable and scalable? Also what speaks against cookie-session? Is express-session with connect-mongo better and why?
I would take a look at this article from Tania Rascia. It covers using Express with JSONWebTokens (JWT) and OAuth with Cookies. It's a secure method and it all runs on the same server (backend and front end served with express).
I'm trying to build an authentication service with express.js, but I didn't catch the idea of authentication modules yet.
What's difference between passport and oauth middleware? Are they dependent of each other? Is useless to have the BearerStrategy without an oauth server to generate tokens to the BearerStrategy validate? Am I on the right way?
I've read about oAuth2 and Its authentication flow, but I'm still lost with this uncoupled code.
I'm trying to build the Resourse Owner Password authentication with refresh token for my AngularJS frontend communicating with the backend API, and I'm facing with many combinations of password.js strategies (Basic, Bearer, ClientPassword) with oauth2orize on the other side.
So, I'd like to know a very simple explanation of how authentication works on NodeJS. At really I know that Express is not inventing a new way of how authentication works, but the modules are too unobtrusive that I need to understand the base of how It works to achieve them working together.
Passport is authentication middleware.
OAuth is authorization middleware.
To understand the difference:
Authentication is the process of ascertaining that somebody really is who he claims to be.
Authorization refers to rules that determine who is allowed to do what. E.g. Bob may be authorized to create and delete databases, while Bobbette is only authorized to read.
In other words. Authentication is your username + password. Authorization is what you're allowed to do.
Passport will allow you to authenticate the user before allowing access to your API. It does not (directly, it's possible) allow to check if a user is allowed to perform an action after authentication.
Check this Wikipedia for more on Authentication vs Authorization.
What OAuth does that Passport doesn't, is that it allows users to grant a service access to their personal information. It also allows users to allow or disallow certain privilages (scopes in OAuth).
Do note that there are a lot of OAuth flavors. The most common is the version with authorization grant types seen when authorizing with Facebook or Google. But there are many others including the Resource Owner Password strategy you mentioned.
So we have our application in nodejs ready, implemented with passport as authentication framework on top of express/nodejs. The routes had been designed as REST API.
Now, there's a request to make the routes available as REST API to non-browser clients.
How would I go about implementing this when our app already works well with passport for authentication? Can passport be used for that? Or another framework, like Oauth? Would they be compatible or would I need to dismantle the passport code to implement with Oauth?
Coulnd't find relevant information yet.
I am not familiar with passport.js but most of the browser based server applications use sessions for user authentication. This is usually not the case for non browser based REST clients which use tokens to authenticate requests.
An Oauth server is implemented to issue tokens to different clients and these tokens are sent with each request. SSL is used to protect these tokens. In your case, you can add an Oauth middleware for REST clients while having the same end points as for your browser based application.