I am trying to implement CSRF protection in my express application. The application is meant to be RESTfull, so I am not using session.
I have tried to use csurf npm module but as far as I have understood this module's description, I need to use session. I might turn session on, but I think I should not do it since application should be RESTfull.
Is there any CSRF implementation for express that does not force developer to use session mechanism?
Related
Just have some general questions about the level of security one can expect when using passport for an App's Authentication;
I am currently in the process of designing my first App using a MongoDB, Express, React and Node.js stack. Without having much prior knowledge about cyber security I have done quite a bit of research about authentication and what type of attacks can occur on my site. I have opted to use a cookie-based authentication system with the passport.js npm package and I have designed my /login route to require that the user's password and username first pass a passport.authenticate('local', ....) middleware setup before a session and cookie are created.
In order to persist the current user in my react app, I have a function which requests the server to provide it with the currently active passport session if there is one - and this seems to work as it will not maintain a login state if the user deletes the session cookie from their browser.
I am a bit skeptical of passport and I'm curious to know how easily it could be breached by someone who has a higher understanding of how it works, so the things I am wondering are several:
Is this type of authentication setup secure?
Are there any additional requirements that one must implement in order for passport to be a
legitimate method of authentication for an App?
Is using passport to authenticate users considered to be bad practice? Would showcasing an app that
authenticates users by using an npm package look bad if I were to showcase this application to a
potential employer?
I can share code if necessary to better illustrate my code setup, although I would prefer not to if at all possible. Any advice would be much appreciated, thanks!
TLDR:
Is passport.js a secure method to authenticate users? Is using passport.js for this bad practice?
Passport.js provides authentication, not security. It is fairly easy to misconfigure by following online tutorials, so take care - the tool is only as good as the hand it is in. To add security to passport, you will need at the very least three additional elements:
Strong state model for the session (or token) that does not leak private fields and uses argon2 for password hashing.
No mistakes on the front-end with CSRF or XSS.
Rate and buffer limitters on Node itself or, even better, on your reverse proxy.
Feathers auth provides only JWT authentication, even if strategy is local.
Should I make full custom middleware for express-session usage and clean passport implimentation just to achive regular sessions behaviour or there's some solutions for this purpose?
Also, I want to use passport.socketio for autheticate sockets aswell.
Using Feathers authentication module is entirely optional and you can always register your own middleware at any point like before and after a service. This means you can set up a normal Express session setup and then set req.feathers to the information from the session that you also want to pass to Feathers services (like the user). As you mentioned, you will have to do the same thing with websockets (which also allow setting handshake.feathers in its middleware).
A full tutorial how to set up sessions and using authentication can be found in the Using A View engine cookbook documentation.
The goal is to build a user profile system for my web application. A user would be able to login, maintain a session and see his profile. After reading various tutorials online about how to do this, I feel a bit lost. Everyone uses different libraries and as someone new to web development, it's not clear what each library does. I've seen the following libraries used, can someone explain the flow of user-profile interactions and where each library comes in?
passport
passport-local
bcrypt-nodejs
connect-flash
express-session
jsonwebtoken
express-jwt
morgan
cookie-parser
One way to start your learning can be at:
https://www.youtube.com/watch?v=Z1ktxiqyiLA
There I learned how to use the most of plugins from your question.
Ok so about the plugins:
passport passport is a node.js plugin which is used usually with express that works as a middleware responsible for the authorization and authentication
passport-local - is a plugin for passport, more technically a strategy of authentication which usually is used with a database or configuration file.
bcrypt-nodejs is used usually for crypting the passwords in the database (but it is much more powerfull than that), is not cool to save password in plain text.
connect-flash - is used for flash messages that appears on a page "The user was successfully added", "Invalid user credentials", or any other success or error messages that you want to display on a page.
express-session - is an express middleware which is responsible to store the user session.
jsonwebtoken - jwt is used to create a token which you will use to identify if an user was authenticated or not.
express-jwt - an express middleware for jsonwebtoken
cookie-parser - an express middleware to parse cookies
morgan - just a log-ing service.
Ok so you should understand a bit of theory here:
passport with passport-local strategy is a statefull authentication mechanism which is supposed to save if the user is authenicated or not in a session, if you restart the node.js server if you did not persist your sessions in a third party service as a database/file etc... you will lose the sessions.
jsonwebtoken is a stateless authentication mechanism, you do not need to save anything on your server only the "secret key". Stateless architecture has some cool pros as it promotes horizontal scalability you can have endless nodes which will know how to parse the sended token and understand if the user is logged in or not. Lately I go with jwt as authentication.
I am building an angular2-login-seed that uses Passport.js with OAuth strategies for authentication. Obviously the default method of authentication with these tools is use of an HTTP cookie signed by express. Passport, from what I can tell, manages the actual Set Cookie header so that express can authenticate each subsequent request via request.isAuthenticated() and access the data set by passport via req.session.passport.dataHere.
I want to incorporate realtime data in the application via websockets. This of course means a socket stream coming from the server to the client. This communication is entirely separate from a regular HTTP server request meaning:
It does not contain the HTTP cookie that all HTTP requests contain
Express does not broker the interaction with sockets, it is managed with whatever implementation is used in the backend (sock.js, socket.io)
This makes it difficult to streamline authentication between HTTP requests to express, and websocket data to the backend as they are separate methods of communication.
From my research, this leaves me with two options. One of which is to use a library to give my socket implementation (preferably sock.js over socket.io but I need to do more research) access to the express session. Then I could authenticate the socket connection however I want. Issue is I have no idea how I would get the express cookie into the stream from the front since javascript cannot access it (HTTP only cookie).
Another common solution I've seen people jump to is to use JWTs (JSON Web Tokens). Implementations revolving around this store the JWT in localstorage on the front end. This is so the SPA (in my case Angular2 services) could send it with every request for 'stateless' server authentication AND we could send it via a websocket to authenticate the websocket connection as well (the front end JS has access to localstorage obviously). A couple things that come to mind when thinking about this implementation:
Is it even possible to have Passport OAuth strategies use JWT instead of the regular session information? What modification would this entail? From what I can tell the Passport strategies use some form of OAuth1 or OAuth2 parent strategies for authentication which defaults to using cookies.
Would storing this vital information in localstorage open the application up to security breaches (XSS, CSRF, etc)
If so, the most common workaround I've seen is to store the JWT in a cookie so it cannot be as easily accessed, spoofed, or forged. However this puts me back in the position I was in before using JWT, so might as well not bother.
Does this mean I'd have to use some sort of state management store in the backend (Redis for example) to manage the authentication and decoding of the JWT body? (I know nothing about Redis, etc).
The idea of connecting authentication between server HTTP requests and socket data is odd but seemingly vital to properly authenticating a socket connection. I'm a little surprised an easier method does not exist. I've done some research and have seen things such as socketio-jwt, express-jwt, etc however I don't know if this would be a manageable transition with my Passport strategies, or if it would be easier opening up express session data to the socket implementation, or if I'm going about it all wrong!
Any help or guidance would be much appreciated thanks.
Then I could authenticate the socket connection however I want. Issue is I have no idea how I would get the express cookie into the stream from the front since javascript cannot access it (HTTP only cookie).
With express-socket.io-session the session auth is done on handshake, and the handshake is a http request, so even if your cookies are http-only it will work. (Tested by myself)
I tried to implement TwitterStrategy like it's done with Facebook in:
Token based, sessionless auth using express and passport
But express still wants me to use session middleware:
{"message":"OAuthStrategy requires session support. Did you forget app.use(express.session(...))?"
Can someone provide a detailed example?
From Passport twitter middleware issue reported earlier on gihub
Any OAuth 1.0 strategy requires sessions. OAuth 2 requires it if state is enabled (which is highly recommended).
A temporary secret is stored in the session to prevent cross site scripting attacks.