DEV Community: Tassa Tenhouse The latest articles on DEV Community by Tassa Tenhouse (@kmtenhouse). https://dev.to/kmtenhouse https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F151097%2Fcb011042-5c17-4686-aba7-ab14ce583a85.png DEV Community: Tassa Tenhouse https://dev.to/kmtenhouse en Handling Synchronous and Asynchronous Errors in Express.js Tassa Tenhouse Thu, 05 Dec 2019 12:00:06 +0000 https://dev.to/kmtenhouse/handling-synchronous-and-asynchronous-errors-in-express-js-12fm https://dev.to/kmtenhouse/handling-synchronous-and-asynchronous-errors-in-express-js-12fm <p>Has this ever happened to you? You're cruising along, enjoying the app you just built with Node and Express -- only to run head-first into an ugly error you never expected.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2Fz0obfyc764u1h0vr5yuk.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2Fz0obfyc764u1h0vr5yuk.png" alt="Screenshot of a ReferenceError visible in the client, with a picture of a cursed emoji to emphasize how unappealing this message is"></a></p> <p>Or even worse, maybe you don't see anything at all! Maybe you've clicked on a link only to find your browser endlessly spinning. You take a peek at your backend logs, only to see those dreaded words:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>UnhandledPromiseRejectionWarning: Unhandled promise rejection. </code></pre> </div> <p>It's time to corral the chaos: it's time to get serious about error handling :)</p> <h2> Step One: Synchronous Errors </h2> <p>By default, when a <em>synchronous</em> error happens in an express route handler, Express will use its built-in error handler. It will write the error to the client, leading to those stark error pages. While Express won't expose the full stack trace in production, it's still a pretty bad experience for site visitors who bump into that obnoxious "Internal Server Error".<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">router</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/bad</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">a</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">a</span> <span class="o">+</span> <span class="nx">b</span><span class="p">);</span> <span class="c1">//this will cause a ReferenceError because 'b' is not defined!</span> <span class="p">})</span> </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2Fdy8c0eqnuq3jm4r3ostf.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2Fdy8c0eqnuq3jm4r3ostf.png" alt="Screenshot of an error in production: simple Internal Server Error"></a></p> <p>We can do better! Instead of leaving Express to its own devices, we can define our own custom error handler.</p> <h2> 🛡️ Writing a custom Express error handler 🛡️ </h2> <p>Most folks are used to writing express route handlers with 2-3 parameters: a <em>request</em>, a <em>response</em>, and optionally, a <em>next</em> function that can be invoked to move on to the next middleware in the chain. However, if you add a <em>fourth</em> parameter -- an <em>error</em> -- in front of the other three, this middleware becomes an error handler! When an error is thrown, the error will bypass any normal route handlers and go into the first error handler it finds downstream.</p> <p><strong>⚠️ Key point: in order to catch errors from all your routes, this error handler must be included after all route definitions! ⚠️</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// First, we include all our routes:</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">routes</span><span class="p">);</span> <span class="c1">// And at the very end, we add our custom error handler!</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">err</span><span class="p">,</span> <span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">//(Note: it's highly recommended to add in your favorite logger here :)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">render</span><span class="p">(</span><span class="dl">"</span><span class="s2">errorpage</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>And voila! In one fell swoop, we made that broken route show a lovely error page:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2Fon3dyido4xwwr64qf45n.JPG" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2Fon3dyido4xwwr64qf45n.JPG" alt="Screenshot of a styled error page"></a></p> <p>In fact, if we wanted to get extra fancy, we could even display different error pages depending on the type of error we have received! Some folks even write their own custom Error objects (extending the native class) to store information about what status code the application should send, or which page the user should be redirected to if said Error is thrown. For purposes of this demo, however, even one 'pretty' page is already light years better than the stark error we started out with.</p> <h2> Step Two: Asynchronous Errors </h2> <p>While Express will automagically catch synchronous errors and pass them to our custom error handler, <em>asynchronous</em> errors are a whole different beast. <strong>If a promise is rejected without being caught in an express route handler, the unhandled rejection will prevent the client from receiving any response!</strong> </p> <p>Since the 'spinning vortex of doom' is a terrible fate for our site visitors, we have to ensure we <strong>always trap promise rejections</strong> and pass them along to our error handler.</p> <h2> ➡️ Try-Catch Blocks 🛑 </h2> <p>By wrapping our asynchronous functions in try-catch blocks, we ensure that we are always trapping rejections when they arise. As soon as a promise is rejected, the code jumps to the 'catch' block, which then passes the error on to our handler:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">alwaysRejects</span> <span class="o">=</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="c1">// This function creates a promise that will always reject with an error:</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">((</span><span class="nx">resolve</span><span class="p">,</span> <span class="nx">reject</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">reject</span><span class="p">(</span><span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">I'm stuck!</span><span class="dl">"</span><span class="p">)));</span> <span class="p">}</span> <span class="nx">router</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/reject</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">alwaysRejects</span><span class="p">();</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Hello, World!</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nf">next</span><span class="p">(</span><span class="nx">err</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <h2> An alternative approach: Middleware for your Middleware </h2> <p>For an alternate method to traditional try-catch handling, <a href="https://thecodebarbarian.com/80-20-guide-to-express-error-handling" rel="noopener noreferrer">The Code Barbarian</a> recommends promisifying the route handler itself. While this option does work, it may feel a bit clunky to add a wrapper simply to avoid a try-catch.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">//this function promisifies an existing express function so that any unhandled rejections within will be automagically passed to next()</span> <span class="kd">function</span> <span class="nf">handleErr</span><span class="p">(</span><span class="nx">expressFn</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">function </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="nf">expressFn</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">).</span><span class="k">catch</span><span class="p">(</span><span class="nx">next</span><span class="p">);</span> <span class="p">};</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">alwaysRejects</span> <span class="o">=</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="c1">// This function creates a promise that will always reject with an error:</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">((</span><span class="nx">resolve</span><span class="p">,</span> <span class="nx">reject</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">reject</span><span class="p">(</span><span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">I'm stuck!</span><span class="dl">"</span><span class="p">)));</span> <span class="p">}</span> <span class="nx">router</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/reject</span><span class="dl">"</span><span class="p">,</span> <span class="nf">handleErr</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">alwaysRejects</span><span class="p">();</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Hello, World!</span><span class="dl">'</span><span class="p">);</span> <span class="p">}));</span> </code></pre> </div> <h2> Conclusion </h2> <p>All in all, whichever options you pick, good error handling is here to stay! </p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2Fdy72lqdg0dfzlakus6ru.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2Fdy72lqdg0dfzlakus6ru.png" alt="Screenshot showing side-by-side demo of plain error vs rendered html"></a><br> <em>From old-fashioned Internal Server Error to beautiful custom error pages...the glow-up is real!</em></p> <h2> References and Credits </h2> <p><a href="https://expressjs.com/en/guide/error-handling.html" rel="noopener noreferrer">Express Error Handling Documentation</a><br> <a href="https://thecodebarbarian.com/80-20-guide-to-express-error-handling" rel="noopener noreferrer">The Code Barbarian</a></p> express node errors javascript Preventing accidental password leaks with Sequelize Tassa Tenhouse Mon, 02 Dec 2019 20:51:58 +0000 https://dev.to/kmtenhouse/preventing-accidental-password-leaks-with-sequelize-4ego https://dev.to/kmtenhouse/preventing-accidental-password-leaks-with-sequelize-4ego <p>Express is one of the most popular web frameworks for Node.js, with tons of documentation and tutorials available. It was purposefully designed to be flexible and "unopinionated", which can help you get new projects up and running quickly...</p> <p>...until you smack head-first into user authentication.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2Fbvlidse9mhbyisq6uq2b.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2Fbvlidse9mhbyisq6uq2b.jpg" alt="Seal bumps into aquarium glass"></a></p> <p>Unlike frameworks in other languages (such as PHP's Django), Express doesn't have a built-in login system. It's up the developer to figure out how to authenticate users and handle their data - and security is tough! As a result, most tutorials pull in the middleware package <a href="http://www.passportjs.org/" rel="noopener noreferrer">Passport.js</a> for assistance. Passport supports a variety of "strategies" that can be used to verify the identity of a user attempting to access your application, including Open Id Connect with Google, oAuth with Facebook, and more. And since those third-party strategies usually have even more setup steps, many tutorials resort to the "simplest" option -- the <a href="http://www.passportjs.org/docs/username-password/" rel="noopener noreferrer">passport-local</a> strategy which stores usernames and passwords in a database you control.</p> <h2> ⚠️ A note about username/password </h2> <p>It's worth pausing for a moment to consider: is storing passwords the right choice for your project in the first place? While the 'local' strategy <em>does</em> get you up and running quickly, most tutorials leave out important steps for safely handling passwords. (Heck, even these one isn't as in-depth as it could be!) </p> <p>Some strongly recommended reading includes:</p> <ul> <li><a href="https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Authentication_Cheat_Sheet.md" rel="noopener noreferrer">OWASP Authentication Cheat Sheet</a></li> <li> <a href="https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html" rel="noopener noreferrer">OWASP Password Storage Cheat Sheet</a> </li> </ul> <h2> 🙄 Pshh, I'm sure I have this under control - I'm salting and hashing stuff! </h2> <p>Okay, well...while it's a great step to store passwords <a href="https://www.thesslstore.com/blog/difference-encryption-hashing-salting/" rel="noopener noreferrer">hashed and salted</a>, it's also important to think about <em>retrieval</em>. Even if our passwords aren't in plain text, we still don't want to make them accessible to users! If passwords can be saved to a malicious person's machine, they have all the time in the world to try cracking them. (And if your password protection <a href="https://itnext.io/how-not-to-store-passwords-4955569e6e84" rel="noopener noreferrer">isn't as rigorous as you think</a>, that can take as few as a couple minutes!) So it's important to make sure that your project both stores passwords securely and avoids leaking them back out.</p> <p>For example, consider an Express project using the <a href="https://sequelize.org/" rel="noopener noreferrer">Sequelize ORM</a>. Perhaps we have a user model like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">class</span> <span class="nc">User</span> <span class="kd">extends</span> <span class="nc">Model</span> <span class="p">{</span> <span class="nf">validPassword</span><span class="p">(</span><span class="nx">passwordToCheck</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">compareSync</span><span class="p">(</span><span class="nf">getSHA512</span><span class="p">(</span><span class="nx">passwordToCheck</span><span class="p">),</span> <span class="k">this</span><span class="p">.</span><span class="nx">password</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">User</span><span class="p">.</span><span class="nf">init</span><span class="p">({</span> <span class="na">nickname</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nx">DataTypes</span><span class="p">.</span><span class="nx">STRING</span><span class="p">,</span> <span class="na">allowNull</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">validate</span><span class="p">:</span> <span class="p">{</span> <span class="na">is</span><span class="p">:</span> <span class="sr">/^</span><span class="se">[</span><span class="sr">0-9a-z_</span><span class="se">]</span><span class="sr">+$/i</span><span class="p">,</span> <span class="na">len</span><span class="p">:</span> <span class="p">[</span><span class="mi">1</span><span class="p">,</span> <span class="mi">32</span><span class="p">]</span> <span class="p">}</span> <span class="p">},</span> <span class="na">email</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nx">DataTypes</span><span class="p">.</span><span class="nx">STRING</span><span class="p">,</span> <span class="na">allowNull</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">unique</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">validate</span><span class="p">:</span> <span class="p">{</span> <span class="na">isEmail</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">},</span> <span class="na">password</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nx">DataTypes</span><span class="p">.</span><span class="nx">STRING</span><span class="p">,</span> <span class="na">allowNull</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">hooks</span><span class="p">:</span> <span class="p">{</span> <span class="na">beforeCreate</span><span class="p">:</span> <span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="k">typeof</span> <span class="nx">user</span><span class="p">.</span><span class="nx">password</span> <span class="o">!==</span> <span class="dl">"</span><span class="s2">string</span><span class="dl">"</span> <span class="o">||</span> <span class="nx">user</span><span class="p">.</span><span class="nx">password</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;</span> <span class="mi">8</span> <span class="o">||</span> <span class="nx">user</span><span class="p">.</span><span class="nx">password</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">128</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Invalid incoming password!</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="nx">user</span><span class="p">.</span><span class="nx">password</span> <span class="o">=</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">hashSync</span><span class="p">(</span><span class="nf">getSHA512</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">password</span><span class="p">),</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">genSaltSync</span><span class="p">(</span><span class="mi">12</span><span class="p">),</span> <span class="kc">null</span><span class="p">);</span> <span class="p">}</span> <span class="p">},</span> <span class="nx">sequelize</span> <span class="p">});</span> </code></pre> </div> <p>Now, let's say we write a route that is meant to get a list of all users so we can display them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">router</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/users</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">db</span><span class="p">.</span><span class="nx">User</span><span class="p">.</span><span class="nf">findAll</span><span class="p">({})</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">result</span> <span class="o">=&gt;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">result</span><span class="p">))</span> <span class="p">.</span><span class="k">catch</span><span class="p">(</span><span class="nx">err</span> <span class="o">=&gt;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">err</span><span class="p">));</span> <span class="p">});</span> </code></pre> </div> <p>But if we then hit this route with a client...</p> <p>(<a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2Fpc0vs6go9t95whd3ukfr.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2Fpc0vs6go9t95whd3ukfr.png" alt="Screenshot of the hashed passwords showing in response"></a></p> <p>...whoops, our passwords are exposed!</p> <h2> 😆 Well I would be more careful lol! </h2> <p>Maybe so! It's always important to think about what information our queries are selecting. Trouble is, it's also easy to miss places where this data is cropping up. For example, let's say we want to get data about the user who is currently logged in. If we were copying from <a href="http://www.passportjs.org/docs/username-password/" rel="noopener noreferrer">Passport's documentation for the local strategy</a>, the login configuration probably ended up looking something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">var</span> <span class="nx">passport</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">passport</span><span class="dl">'</span><span class="p">)</span> <span class="p">,</span> <span class="nx">LocalStrategy</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">passport-local</span><span class="dl">'</span><span class="p">).</span><span class="nx">Strategy</span><span class="p">;</span> <span class="nx">passport</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="k">new</span> <span class="nc">LocalStrategy</span><span class="p">(</span> <span class="kd">function</span><span class="p">(</span><span class="nx">username</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="nx">done</span><span class="p">)</span> <span class="p">{</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="na">username</span><span class="p">:</span> <span class="nx">username</span> <span class="p">},</span> <span class="kd">function</span><span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">done</span><span class="p">(</span><span class="nx">err</span><span class="p">);</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">done</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="kc">false</span><span class="p">,</span> <span class="p">{</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Incorrect username.</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">.</span><span class="nf">validPassword</span><span class="p">(</span><span class="nx">password</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">done</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="kc">false</span><span class="p">,</span> <span class="p">{</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Incorrect password.</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">done</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="nx">user</span><span class="p">);</span> <span class="p">});</span> <span class="p">}</span> <span class="p">));</span> <span class="nx">passport</span><span class="p">.</span><span class="nf">serializeUser</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">user</span><span class="p">,</span> <span class="nx">done</span><span class="p">)</span> <span class="p">{</span> <span class="nf">done</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="p">});</span> <span class="nx">passport</span><span class="p">.</span><span class="nf">deserializeUser</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">id</span><span class="p">,</span> <span class="nx">done</span><span class="p">)</span> <span class="p">{</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findById</span><span class="p">(</span><span class="nx">id</span><span class="p">,</span> <span class="kd">function</span><span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="nf">done</span><span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">user</span><span class="p">);</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p><strong>A quick run-down:</strong> When a user first logs in, passport will attempt to find a record for their email in our database. If both email and password are correct, the user's information is passed along through the middleware. Very commonly, Express/Passport are also configured to start a 'session' for that user using their unique id as the way to recall who they are. Every time the user makes a subsequent request, the deserialization process will look up the user's current information from the db using that id. The fresh info will then be attached to req.user.</p> <p>So if you wanted to make a route that grabs info about the user who is currently logged in, it might be tempting to do something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">router</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/auth/whoami</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if</span><span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">sendStatus</span><span class="p">(</span><span class="mi">401</span><span class="p">);</span> <span class="p">}</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">);</span> <span class="p">})</span> </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2Fmli5r6nhodp82wqnz653.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2Fmli5r6nhodp82wqnz653.png" alt="Screenshot of password displaying alongside user record"></a></p> <p>And once again we are exposing a password! Since req.user is meant to be used internally, this isn't typically called out in tutorials.</p> <h2> 😡 Okay yeah, this is getting annoying! </h2> <p>Well knowing is half the battle, and now that we've seen a couple places where sensitive data might leak, we can certainly pay more attention to how we write queries. But the more complex a project gets, the easier it becomes to make a mistake. <strong>What if we had an extra layer of protection that prevented us from accidentally retrieving sensitive info from the database in the first place?</strong></p> <h2> 🛡️ Your new buddy: exclusion-by-default 🛡️ </h2> <p>Many ORMs (such as Sequelize and Mongoose) provide a way to exclude specific fields/columns from query results by default. The developer must then specifically override that behavior on the rare occasion that they wish to access that data. By making it hard for this information to leave the database in the first place, it's harder to slip up further down the line. Plus, this isn't limited to passwords -- we can apply this strategy to anything we don't want to share broadly! Here's how it works with Sequelize.</p> <p>When defining a Model, we will add a few additional items to our options object: 'defaultScope' and 'scopes':<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">User</span><span class="p">.</span><span class="nf">init</span><span class="p">({</span> <span class="p">...</span> <span class="p">},</span> <span class="p">{</span> <span class="na">hooks</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span> <span class="p">}</span> <span class="p">},</span> <span class="nx">defaultScope</span><span class="p">:</span> <span class="p">{</span> <span class="nl">attributes</span><span class="p">:</span> <span class="p">{</span> <span class="na">exclude</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">password</span><span class="dl">'</span><span class="p">]</span> <span class="p">},</span> <span class="p">},</span> <span class="nx">scopes</span><span class="p">:</span> <span class="p">{</span> <span class="nl">withPassword</span><span class="p">:</span> <span class="p">{</span> <span class="na">attributes</span><span class="p">:</span> <span class="p">{},</span> <span class="p">}</span> <span class="p">},</span> <span class="nx">sequelize</span> <span class="p">});</span> </code></pre> </div> <p><strong>defaultScope</strong> allows us to specify that we should not normally be able to retrieve the 'password' field. However, the default configuration for passport still needs it! As a result, we define a 'custom' scope called 'withPassword' -- this will retrieve everything. We also need to modify a line in our passport config:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">...</span> <span class="nx">db</span><span class="p">.</span><span class="nx">User</span><span class="p">.</span><span class="nf">scope</span><span class="p">(</span><span class="dl">'</span><span class="s1">withPassword</span><span class="dl">'</span><span class="p">).</span><span class="nf">findOne</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="nx">email</span> <span class="p">}</span> <span class="p">})</span> <span class="p">...</span> </code></pre> </div> <p>And so in one fell swoop, we have fixed our /api/users:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2F8570j0ol8saycy61vct5.JPG" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2F8570j0ol8saycy61vct5.JPG" alt="Screenshot showing that passwords are no longer visible in JSON"></a></p> <p>...as well as that /auth/whoami route:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2Fy2822uk59rrrs9z6xpo8.JPG" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2Fy2822uk59rrrs9z6xpo8.JPG" alt="Screenshot of user record without password"></a><br> <em>Though I'd still recommend caution with req.user -- remember, that's internal!</em></p> <h2> 😄 Hey, that was pretty cool! Now I don't have to stress as much. </h2> <p>Absolutely! An ounce of prevention is always worth a pound of cure. When using ORMs, we might as well take advantage of their features to make repetitive work easier. By designing our application so that sensitive information stays in the db by default, we help ourselves nip some problems in the bud.</p> <p>(And lastly, remember: if it works for your project to avoid the password game entirely, other strategies are there for you too ;)</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2F9o5ggo6cs02hj67vid56.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2F9o5ggo6cs02hj67vid56.png" alt="Will Smith pointing out that Open ID and OAuth strategies are right there"></a></p> node express passportjs sequelize