DEV Community: Lakmal Asela

Understanding Passport & OAuth Authentication

Lakmal Asela — Sun, 27 Apr 2025 06:08:34 +0000

What is Authentication?

Authentication is the act of figuring out who a user is.
Example:

You do username/password login to a website.
Website figures out if you are really a user.

What is Passport?

Passport is a Node.js middleware.
It helps deliver authentication (login mechanisms).
It's extremely flexible and modular.

Key Features of Passport:

Minimalistic: Not going to force you to do things a certain way.
Has support for over 500 strategies (username/password, Google, Facebook, etc.).
Works perfectly with Express, NestJS, and most Node.js frameworks.

Remember: Passport DOESN'T handle sessions, cookies, or databases itself. You write that code yourself if needed.

What is a Strategy in Passport?

A Strategy is a Passport plugin.
It defines how you want to authenticate users.

Examples of Strategies:

passport-local: Login with username + password
passport-jwt: Login with JWT tokens
passport-google-oauth20: Login with Google account
passport-facebook: Login with Facebook
You can use more than one strategy in the same project!

What is OAuth?

OAuth (Open Authorization) is an open authorization standard protocol.
It allows users to share access to their data without giving out passwords.

Example:

You click "Login with Google" => Google asks for permission => You authorize => Site gets your email/profile.

How OAuth2 Works (Flow)

User clicks "Login with Google".
Client App (your app) redirects user to Google's login page.
User logs in on Google and grants permission.
Google sends an authorization code back to your app.
Your app exchanges that code for an access token.
Your app uses the access token to get user info (email, name, etc.).
Your app logs in the user.

This keeps the user's password secure.
Only tokens are exchanged, not passwords.

Passport + OAuth + NestJS Flow

Install Passport
Install OAuth Strategy (like passport-google-oauth20)
Setup a strategy
Setup routes for login and callback
Extract user info after successful login

Practical Example: Google OAuth with NestJS

Step 1: Install Required Packages

npm install @nestjs/passport passport passport-google-oauth20
npm install @nestjs/jwt passport-jwt
npm install @types/passport-google-oauth20 --save-dev

Step 2: Create the Google Strategy
src/auth/google.strategy.ts

import { Injectable } from '@nestjs/common';
import { PassportStrategy } from '@nestjs/passport';
import { Strategy, VerifyCallback } from 'passport-google-oauth20';

@Injectable()
export class GoogleStrategy extends PassportStrategy(Strategy, 'google') {
  constructor() {
    super({
      clientID: 'YOUR_GOOGLE_CLIENT_ID',  // ←replace with your credentials
      clientSecret: 'YOUR_GOOGLE_CLIENT_SECRET', // ← replace with your credentials
      callbackURL: 'http://localhost:3000/auth/google/callback',
      scope: ['email', 'profile'],
    });
  }

  async validate(accessToken: string, refreshToken: string, profile: any, done: VerifyCallback): Promise<any> {
    const { name, emails, photos } = profile;
    const user = {
      email: emails[0].value,
      firstName: name.givenName,
      lastName: name.familyName,
      picture: photos[0].value,
      accessToken,
    };
    done(null, user);
  }
}

Step 3: Create Auth Controller
src/auth/auth.controller.ts

import { Controller, Get, Req, UseGuards } from '@nestjs/common';
import { AuthGuard } from '@nestjs/passport';

@Controller('auth')
export class AuthController {

  @Get('google')
  @UseGuards(AuthGuard('google'))
  async googleAuth(@Req() req) {
    // This route will redirect user to Google login
  }

  @Get('google/callback')
  @UseGuards(AuthGuard('google'))
  async googleAuthRedirect(@Req() req) {
    // This route is hit after login success
    return {
      message: 'User information from Google',
      user: req.user,
    };
  }
}

Step 4: Create Auth Module
src/auth/auth.module.ts

import { Module } from '@nestjs/common';
import { AuthController } from './auth.controller';
import { GoogleStrategy } from './google.strategy';

@Module({
  controllers: [AuthController],
  providers: [GoogleStrategy],
})
export class AuthModule {}

Step 5: Import AuthModule in App Module
src/app.module.ts

import { Module } from '@nestjs/common';
import { AuthModule } from './auth/auth.module';

@Module({
  imports: [AuthModule],
})
export class AppModule {}

How It Works Now:

Open browser => http://localhost:3000/auth/google
You get redirected to Google Login page.
After login => Google redirects to http://localhost:3000/auth/google/callback
Your user information (email, name, photo) is read by the app.
User can be saved in database, session can be created, or JWT can be created here.

Concept Meaning

Passport Middleware to make authentication easier
OAuth
Protocol to allow login via third parties like Google, Facebook
Strategy
Plugin (e.g.: GoogleStrategy) to handle specific login method
NestJS Integration
You implement Guards and Strategies for redirection and login

Final Key Points

Never make your Google client secret public.
Use environment variables (.env file) for secret credentials.
You can also extend the same for Facebook, Github, LinkedIn by just changing the strategy.
Once OAuth login is done, generally you generate your own JWT token to manage user sessions.

If you want, after this you can:

Automatically save user information to your database after login.
Issue your own JWT tokens following an OAuth login.
Protect specific routes so that only authenticated users can access them.

DTO vs Entity: Why You Should Separate Concerns

Lakmal Asela — Sat, 28 Dec 2024 04:14:56 +0000

The Data Transfer Object is a design pattern used to transfer data across different layers or components of an application. It is a simple, flat, serializable object that contains only fields and accessors-appropriately getters and setters-without business logic. The main role of DTOs is to enable the effective encapsulation and transfer of data.
Clean and maintainable code is the key to modern software development for scalable and efficient applications. In any ordinary application, two very commonly used concepts, Data Transfer Objects and Entities, play an important role in segregating the concerns within an application. This article will explain the differences between Data Transfer Objects and Entities, why separating their responsibilities is important, and how to implement them.

What is an Entity?

An Entity represents a real-world object or concept in the domain of your application. It directly maps onto the database table and contains the business logic associated with that object. These are typically part of a persistence layer and are managed by an ORM framework like Hibernate or JPA in Java.

@Entity
@Data
@Builder
@AllArgsConstructor
@NoArgsConstructor
public class User {
    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;

    private String name;
    private String email;

}

Key Characteristics of Entities:

Mapped directly to a database table.
Contains both data and business logic.
Changes in the database structure can directly impact entities.

What is a DTO?

A Data Transfer Object, or DTO, is just a simple, flat object used to transfer data between different layers of an application-from the backend to the frontend, for example. It is designed to carry data but not business logic. They are used to shape the data according to the specific requirements of a certain use case or API endpoint.


@Data
@Builder
@NoArgsConstructor
@AllArgsConstructor
public class UserDTO {

    @NotNull(message = "Name is required")
    private String name;
    @NotNull(message = "Email is required")
    private String email;

}

Key Characteristics of DTOs:

Do not map directly to database tables.
Used for transferring data, especially between layers or across networks (e.g., APIs).
Contains only fields, getters, and setters (no business logic).

Why Separate DTOs and Entities?

1. Encapsulation and Security
Entities often contain sensitive information-for example, password, internal IDs-that you do not want to expose to external clients or other layers of the application.
Using DTOs enables you to control what data gets exposed and the structure of the data.
2. Decoupling Layers
DTO is a bridge between layers like service layer and API layer, that decouples each of them; in case some layer faces changes, for example, database schema changes, the other layer wouldn't be affected.
Assume there's some kind of change in your database structure, your DTO might remain unchanged because of that it saves your API from breaking changes.
3. Use Case Customization
DTOs allow the developer to adapt the structure of the data to his needs. For instance, you might want to return only the name and email fields for a user, while you would exclude fields like id and password from the return.
4. Performance Optimization
By including only the necessary fields, DTOs reduce the size of the data transferred over the network, improving performance in distributed systems, such as REST APIs.
5. Testability and Maintainability
DTOs make unit testing more straightforward and easy since they are simple and independent of any persistence layer dependencies.
DTOs also make the code base more maintainable due to a separation of concerns.
6. Avoids Tight Coupling
The approach of using entities directly inside APIs tightly couples your persistence model with your API contract. Changes in the entity structure may inadvertently break API consumers.

Service Layer with Mapping


public class UserMapper {
    public static UserDTO toDTO(User user) {
        UserDTO dto = new UserDTO();
        dto.setName(user.getName());
        dto.setEmail(user.getEmail());
        return dto;
    }

    public static User toEntity(UserDTO dto) {
        User user = new User();
        user.setName(dto.getName());
        user.setEmail(dto.getEmail());
        return user;
    }
}

Service Example:

@Service
public class UserService {
    @Autowired
    private UserRepository userRepository;

    public UserDTO getUserById(Long id) {
        User user = userRepository.findById(id).orElseThrow(() -> new RuntimeException("User not found"));
        return UserMapper.toDTO(user);
    }
}

Best Practices of Using DTOs and Entities

Never Expose the Entities in APIs:
Always map the entities to DTOs before returning data to the external client.

Using Libraries for Mapping:
These tools, like MapStruct or ModelMapper, enable ease of mapping between DTOs and Entities and reduce boilerplate code.

Keep DTOs Simple:
Don't add business logic or complicated behavior to your DTOs.

Use Validation in DTOs:
Let validation of the incoming data at DTO level be done with the use of annotations such as @Size and @notblank beforehand and map it to an entity.

Create Different DTOs for Different Use Cases:
You could have a UserResponseDTO for API responses, a UserCreateRequestDTO in cases of handling user creation requests.

Summary of DTO

The separation of DTOs from entities keeps the code base clean and maintainable, decouples the concerns, enhances security, and ensures performance. While entities will care about the business logic and database interaction logic, DTOs know only about the data transfer between layers or systems. The separation of these elements follows best practices in software design and protects your application from unexpected side effects of tightly coupled components.

What is the CORS ?

Lakmal Asela — Mon, 16 Sep 2024 09:40:36 +0000

CORS- Cross-Origin Resource Sharing-is a security feature used by web browsers. This feature stops a web page from requesting resources, or data, from a domain different from the one that served the web page. It is done to protect the users by disallowing malicious sites from sending unauthorized requests to servers or APIs at other domains.

How CORS Works

When a web page, in a certain origin, sends a request to a different origin, the browser first checks if the server allows this kind of cross-origin request. If it isn't so configured, the browser blocks the request. CORS defines a way in which a server can safely handle these cross-origin requests.

CORS relies on HTTP headers to let the server inform the browser whether or not the request is allowed. The key headers include:

Access-Control-Allow-Origin: Specifies which origin(s) are allowed to make requests (e.g., a specific domain or * for any domain).
Access-Control-Allow-Methods: Specifies which HTTP methods (e.g., GET, POST) are allowed.
Access-Control-Allow-Headers: Specifies which headers can be included in the request.
Access-Control-Allow-Credentials: Indicates whether credentials like cookies or authorization headers are allowed to be sent.

Why CORS is Used

Security: This is one of the most important features. It makes sure that there aren't any unauthorized requests allowed between different sites. A script originating from one domain is not allowed to access resources from another domain unless explicitly allowed.
Controlled Sharing: This is a controlled exposure to resources from other origins, notably in cases when APIs or services are consumed by applications hosted over different domains.

CORS Implementation in Spring Boot

Global Configuration

package com.logmaven.exmaven.configuration;

import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

@Configuration
public class WebConfig implements WebMvcConfigurer {

    @Override
    public void addCorsMappings(CorsRegistry registry) {
        // Allowing CORS requests from http://localhost:3000
        registry.addMapping("/**")  // Apply to all endpoints
                .allowedOrigins("http://localhost:3000")  // Allow requests from this origin
                .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")  // Allow these HTTP methods
                .allowedHeaders("*")  // Allow all headers
                .allowCredentials(true);  // Allow credentials like cookies
    }

}

CORS Configuration Using Spring Security

import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;

@EnableWebSecurity
public class WebSecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.cors().and().csrf().disable() // Enable CORS and disable CSRF for simplicity
            .authorizeRequests()
            .anyRequest().authenticated(); // Allow only authenticated requests
        return http.build();
    }

    @Bean
    public CorsFilter corsFilter() {
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true);
        config.addAllowedOrigin("http://localhost:3000");
        config.addAllowedHeader("*");
        config.addAllowedMethod("*");
        source.registerCorsConfiguration("/**", config);
        return new CorsFilter(source);
    }
}

This configuration enables CORS for all endpoints, allowing requests from http://localhost:3000. You can adjust it to your specific requirements, including credentials, headers, and allowed HTTP methods.

Advantages of CORS

Security Control: Prevents unauthorized cross-origin requests.
Granular Access: Allows fine-grained access to resources based on origin, methods, and headers.
Interoperability: This allows modern web applications to securely consume APIs and services from different origins.

JavaScript Event Loop

Lakmal Asela — Tue, 27 Aug 2024 08:53:59 +0000

What is the JavaScript Event Loop?

In JavaScript, an event loop is a mechanism that controls the execution of code, events, or messages using non-blocking I/O. This provides a way for non-blocking, or asynchronous, operations in JavaScript.

Key Concepts

1.Single Threaded
JavaScript is single-threaded, which means it executes one task at a time. Single threaded, therefore, one thread on which JavaScript executes is the so-called "main thread.

2.Call Stack
It is the data structure in which JavaScript keeps track of function calls. A function call is pushed onto the stack. When it returns, it is removed. When it is empty, JavaScript is ready to process the next thing. It is also commonly referred to as the "main thread".

3.Heap
This is where JavaScript stores objects and variables. It's used for dynamic memory allocation.

4.Event Queue
A queue of messages or tasks that are waiting to get executed. When a task is added into the queue, it waits for the call stack to be empty to execute.

5.Event Loop
It is something that constantly monitors the call stack and event queue. If the call stack is empty, it then moves tasks from the event queue into the call stack and executes them.

Process

Execution of Code: When JavaScript starts to execute code, it pushes the function calls onto the call stack. Additionally, it executes one function after another.
Asynchronous Operations: Immediately an operation is asynchronous, like a setTimeout or a network request, the JavaScript does not block the execution. Instead, it forwards that operation to Web APIs, say to the browser's timer or to services handling HTTP requests.
Callback Functions: When an asynchronous operation completes, its callback function is pushed into the event queue.
Event Loop Checking: Event Loop now checks the call stack as well as the event queue in the order. If the call stack is empty, it picks the first task from the event queue and pushes that into the call stack to run it.

console.log('Start');

setTimeout(() => {
  console.log('Timeout 1');
}, 1000);

setTimeout(() => {
  console.log('Timeout 2');
}, 500);

console.log('End');

Note that the following will occur step-by-step:

Since start is a synchronous operation, it's logged immediately.
The first setTimeout is registered with 1000ms delay and then goes to the Web APIs. Its callback will be put in the event queue after 1000ms.
The second setTimeout is registered with 500ms delay and then goes to the Web APIs. Its callback will be put in the event queue after 500ms.
End is loged right away because it's synchronous.
In 500ms, the callback for the second setTimeout moves from the event queue to the call stack and logs Timeout 2.
The first rate for setTimeout undergoes from the event queue to the call stack in 1000ms and log Timeout 1.

Summary

Call Stack: Executes functions in order.
Event Queue: Stores messages or tasks to be executed.
Event Loop: It executes the tasks, which are passed from the event queue into the call stack when it's empty.

JavaScript Date prototype Property

Lakmal Asela — Mon, 29 Jul 2024 00:27:42 +0000

The Date.prototype object in JavaScript is used to extend or override the behavior of Date instances. This provides a means of adding custom methods and properties to all Date objects.

Extending Date with Custom Methods

You can add custom methods to Date.prototype to make them available on all instances of Date. For example, you may want to add a method that returns the number of total days.

Date.prototype.daysFromStartOfYear = function() { const startOfYear = new Date(this.getFullYear(), 0, 1); // January 1st of the current year const oneDay = 24 * 60 * 60 * 1000; // Milliseconds in one day const differenceInTime = this.getTime() - startOfYear.getTime(); return Math.floor(differenceInTime / oneDay) + 1; // Add 1 to include the start day }

Explanation

Date.prototype.daysFromStartOfYear: Defines a new method daysFromStartOfYear on the Date prototype, making it available to all Date instances.
new Date(this.getFullYear(), 0, 1): Creates a Date object for January 1st of the current year (this.getFullYear()).
this.getTime() - startOfYear.getTime(): Calculates the difference in milliseconds between the current date (this) and January 1st of the year.
Math.floor(differenceInTime / oneDay) + 1: Converts milliseconds to days. Adding 1 ensures that January 1st is counted as day 1.

This solution won't modify the Date.prototype object, and in some cases, may be useful when you need to apply the method and not affect all instances of Date

Array Loops in JavaScript

Lakmal Asela — Sat, 20 Jul 2024 05:04:49 +0000

Ever find yourself bogged down by writing repetitive loops to manipulate arrays?
JavaScript has a hidden arsenal: a set of powerful array methods like map, filter, and many others!

These methods simplify array manipulation, making your code cleaner, more concise, and much more enjoyable to write.
Let's dive into some of these gems:

️Map Method: Transform each element in an array effortlessly (pass in a function to alter them).
Filter Method: Streamline your array with ease (create a new array with elements that satisfy your criteria).
Find Method: Act like a detective ️‍(locate the first element that meets your condition).
FindIndex Method: Sharpen your investigative skills (find the index of the first matching element).
Fill Method: Repaint your array with new values (fill the entire array or just a specific range).
Some Method: Unleash your inner Sherlock (check if at least one element fulfills a condition).

**:

Connection Pooling in Spring Boot

Lakmal Asela — Fri, 07 Jun 2024 15:46:59 +0000

connection pooling is a method specifically designed to manage and reuse database connections, enhancing the performance of applications that interact with databases.
A database connection acts as a bridge between a Java application and a database server. Establishing and terminating these connections should be making efficient management crucial for optimal application performance.
Connection pooling involves creating a pre-established database connections that can be reused. This is contributes reduces the overhead of establishing new connections for each database operation, thereby enhancing application efficiency & concurrency controlling.

Without connection pooling, database interaction would require establishing a new connection and terminating it afterward. This repetitive task & occur the overhead, leading to additionally effort to potential resource drain. Connection pooling resolve these issues by reusing existing connections & it will be in improved efficiency, concurrency, and overall system stability.

The Spring boot introduce the HikariCP for connection pool implementation.

HikariCP can configure in your application.properties file

# HikariCP settings spring.datasource.hikari.maximum-pool-size=10 spring.datasource.hikari.minimum-idle=5 spring.datasource.hikari.idle-timeout=600000 spring.datasource.hikari.connection-timeout=30000 spring.datasource.hikari.max-lifetime=1800000 spring.datasource.hikari.leak-detection-threshold=2000 spring.datasource.hikari.pool-name=MyHikariCP

Summery

Connection pooling is a vital mechanism for enhancing the performance and scalability of applications that interact with databases. By maintaining a pool of reusable database connections, connection pooling minimizes the overhead associated with establishing and tearing down connections for each database operation. This approach not only optimizes resource utilization but also improves application responsiveness and stability.