Can not find any info (on passport.js site) about general passport.js instalation and declaration in node.js.
In the tutorials I always see express session middleware and cookie-parser stated as required for passport, yet session docs (https://github.com/expressjs/session) notes:
'Since version 1.5.0, the cookie-parser middleware no longer needs to be used for this module to work. This module now directly reads and writes cookies on req/res. Using cookie-parser may result in issues if the secret is not the same between this module and cookie-parser.'
So do I need to use session & cookie-parser for passport for some reasons, or I can use only session, am I need to tweak something then?
No, passport itself does not require cookie-parser middleware. If you want session-persistent authentication then you'll need the express-session middleware, which used to require cookie-parser, but modern versions of express no longer have this requirement (the current version of express-session reads and writes cookies directly).
Related
I have a Node.js express passport joi restful api. When trying to access the routes ... is it better to first validated the inputs (body or query) or check passport requirements?
So this:
router.route('/signup')
.post(validateBody(schemas.signupSchema), passportSignup, controllerSignup.signup);
router.route('/login')
.post(validateBody(schemas.loginSchema), passportLogin, controllerLogin.login);
router.route('/search')
.get(validateQuery(schemas.searchSchema), passportJWT, controllerSearch.search);
... or this?
router.route('/signup')
.post(passportSignup, validateBody(schemas.signupSchema), controllerSignup.signup);
router.route('/login')
.post(passportLogin, validateBody(schemas.loginSchema), controllerLogin.login);
router.route('/search')
.get(passportJWT, validateQuery(schemas.searchSchema), controllerSearch.search);
Which version is preferred?
It doesn't really matter as, both of them are middlewares, doesn't matter which one fails first. But, doing passport authentication first is a better idea cause, why even process the data if the user isn't correctly authenticated.
From reading Express 4 Session Documention
It states:
the cookie-parser middleware no longer needs to be used for this
module to work. This module now directly reads and writes cookies on
req/res. Using cookie-parser may result in issues if the secret is not
the same between this module and cookie-parser.
If I want to set a additional custom cookie, such as loggedIn: true, how would I do that with Session? I don't see any apis to set cookies other than the default one it makes for it's session tracking. And as the docs state, I should not use cookie-parser with express-session.
Found out through express.js github:
The documentation does in no way say you cannot use the two together.
It just state that using cookie-parser is not actually required to use
this module now (it used to be required in older 1.x versions) and
that just keep in mind you have to use the same secret for this module
and cookie-parser if you use the cookie-parser module.
To store or access session data, simply use the request property req.session, which is (generally) serialized as JSON by the store, so nested objects are typically fine. express-session
As it says, you can directly write to req.session
req.session.loggedIn = true
I am trying to implement passport + express + mongodb functionality of local authentication, but it doesn't seem to work. All of the examples, including the one from the official page has the line
app.use(app.router);, but I am using express 4.9 and I get the error :
Error: 'app.router' is deprecated!
If I remove it, I only get redirected to unsuccessful login, without even entering the LocalStrategy callback.
I would appreciate any help and suggestion how should I substitute the deprecated line.
You'll want to remove that line -- in Express 4.x this is no longer needed -- some of the passport docs are just out of date.
Also: you may want to check out express-stormpath as an alternative to passport if you're trying to store user accounts. Depending on your application's usage, it might be a lot simpler.
I am looking to implement cookiestore in my Express app, I followed this question
Best Session Storage Middleware for Express + MongoDB
and
https://github.com/kcbanner/connect-mongo
for my Express 3.x project, but for Express 4, connect middleware is deprecated.
Which is the suitable alternative for connect-mongo?
Middleware has been extracted out of the core and moved individual modules. This changes how you set up the app but you have the option to use the same middleware as before. The overview explaining how to migrate from 3.x to 4.x lists the modules that can be used as replacements for the Connect middleware.
The syntax will be slightly different as you explicitly install the modules, such as express-session, and the app.use statements are modified to reflect this. The options you pass to these modules, however, are the same as it was with the Connect middleware...so you can pass your connect-mongo details to express-session and keep rolling along.
So you don't have to change unless there's another problem that isn't clear in your original question...and there could be other problems if you have a large, established app. But if you are following a tutorial, you should be early enough in the process that this won't be a major issue.
Edit: It looks like there's also been discussion about Express 4 on the connect-mongo github page. There are more examples there about how to use this module with the new version of Express...
Edit 2: The code, referenced a few times on the github page, looks like this:
var session = require('express-session');
var MongoStore = require('connect-mongo')(session);
app.use(session({
secret: 'youshouldputyourownsecrethere',
store: new MongoStore({
db : mongoose.connection.db,
})
}));
With the dawn of Express 4 connect is no longer a dependancy. I can't find on the express site any new implementation of csrf.
the old way was app.use(express.csrf()); and then add in a middleware function to expose it in the view.
My question is: Am I now forced to include connect as a dependency, or is there something baked into express now that allows for csrf that I am missing?
Or can I just include the source of csrf into my app?
You can install and require csurf for Express 4.