This is the 8th part of the tutorial series called Node Hero - in these chapters, you can learn how to get started with Node.js and deliver software products using it.
In this tutorial, you are going to learn how to implement a local Node.js authentication strategy using Passport.js and Redis.
Upcoming and past chapters:
- Getting started with Node.js
- Using NPM
- Understanding async programming
- Your first Node.js server
- Node.js database tutorial
- Node.js request module tutorial
- Node.js project structure tutorial
- Node.js authentication using Passport.js [you are reading it now]
- Node.js unit testing tutorial
- Debugging Node.js applications
- Node.js Security Tutorial
- How to Deploy Node.js Applications
- Monitoring Node.js Applications
Technologies to use
Before jumping into the actual coding, let's take a look at the new technologies we are going to use in this chapter.
What is Passport.js?
Simple, unobtrusive authentication for Node.js - http://passportjs.org/
Passport is an authentication middleware for Node.js which we are going to use for session management.
What is Redis?
Redis is an open source (BSD licensed), in-memory data structure store, used as database, cache and message broker. - https://redis.io/
We are going to store our user's session information in Redis, and not in the process's memory. This way our application will be a lot easier to scale.
The Demo Application
For demonstration purposes, let’s build an application that does only the following:
- exposes a login form,
- exposes two protected pages:
- a profile page,
- secured notes
The Project Structure
You have already learned how to structure Node.js projects in the previous chapter of Node Hero, so let's use that knowledge!
We are going to use the following structure:
├── app
| ├── authentication
| ├── note
| ├── user
| ├── index.js
| └── layout.hbs
├── config
| └── index.js
├── index.js
└── package.json
As you can see we will organize files and directories around features. We will have a user page, a note page, and some authentication related functionality.
(Download the full source code at https://github.com/RisingStack/nodehero-authentication)
The Node.js Authentication Flow
Our goal is to implement the following authentication flow into our application:
- User enters username and password
- The application checks if they are matching
- If they are matching, it sends a
Set-Cookie
header that will be used to authenticate further pages - When the user visits pages from the same domain, the previously set cookie will be added to all the requests
- Authenticate restricted pages with this cookie
To set up an authentication strategy like this, follow these three steps:
Step 1: Setting up Express
We are going to use Express for the server framework - you can learn more on the topic by reading our Express tutorial.
// file:app/index.js
const express = require('express')
const passport = require('passport')
const session = require('express-session')
const RedisStore = require('connect-redis')(session)
const app = express()
app.use(session({
store: new RedisStore({
url: config.redisStore.url
}),
secret: config.redisStore.secret,
resave: false,
saveUninitialized: false
}))
app.use(passport.initialize())
app.use(passport.session())
What did we do here?
First of all, we required all the dependencies that the session management needs. After that we have created a new instance from the
express-session
module, which will store our sessions.
For the backing store, we are using Redis, but you can use any other, like MySQL or MongoDB.
Step 2: Setting up Passport for Node.js
Passport is a great example of a library using plugins. For this tutorial, we are adding the
passport-local
module which enables easy integration of a simple local authentication strategy using usernames and passwords.
For the sake of simplicity, in this example, we are not using a second backing store, but only an in-memory user instance. In real life applications, the
findUser
would look up a user in a database.// file:app/authenticate/init.js
const passport = require('passport')
const LocalStrategy = require('passport-local').Strategy
const user = {
username: 'test-user',
password: 'test-password',
id: 1
}
passport.use(new LocalStrategy(
function(username, password, done) {
findUser(username, function (err, user) {
if (err) {
return done(err)
}
if (!user) {
return done(null, false)
}
if (password !== user.password ) {
return done(null, false)
}
return done(null, user)
})
}
))
Once the
findUser
returns with our user object the only thing left is to compare the user-fed and the real password to see if there is a match.
If it is a match, we let the user in (by returning the user to passport -
return done(null, user)
), if not we return an unauthorized error (by returning nothing to passport - return done(null)
).Step 3: Adding Protected Endpoints
To add protected endpoints, we are leveraging the middleware pattern Express uses. For that, let's create the authentication middleware first:
// file:app/authentication/middleware.js
function authenticationMiddleware () {
return function (req, res, next) {
if (req.isAuthenticated()) {
return next()
}
res.redirect('/')
}
}
It only has one role if the user is authenticated (has the right cookies) it simply calls the next middleware; otherwise it redirects to the page where the user can log in.
Using it is as easy as adding a new middleware to the route definition.
// file:app/user/init.js
const passport = require('passport')
app.get('/profile', passport.authenticationMiddleware(), renderProfile)
No comments:
Post a Comment