Originally posted on softwareontheroad.com
Introduction
While third-party authentication services like Google Firebase, AWS Cognito, an...
For further actions, you may consider blocking this person and/or reporting abuse
Hi there,
Thanks for your article.
Why would you save the salt in database? It's not used anywhere after saving as argon2 saves it on its own.
I have also implemented refresh tokens to minimize impact of tokens steal and restrict access to only one device.
Thanks
I would like to know it too.
Please Sam, answer us! :P
Using JWTs for sessions is not a good idea unless you're on a microservice architecture and are communicating with multiple APIs with the same token. Otherwise, plain old sessions would be a lot better.
For more information and arguments, check out this post.
Sure, using JWT has its cons, like how to handle JWT steal, the system has to have a sort of 'black-list' feature to revoke those access, that implies keep track of generated JWTs and create a list in Redis or Memcache. Or using a unique secret to sign the JWT for every user, and change it.
In a future article of this series, I'll talk about using sessions and it's advantages.
Thanks for reading!
Exactly. The problem is that JWT's are awesome because they're stateless, but if you're using it as a session and you have to handle all those security vulnerabilities - it starts to be stateful and loses its main benefit.
Anyways, awesome article! :)
Nice article, thanks!
It is good to combine
User not found
andIncorrect password
to something likeUser not found or incorrect password
for better security.Brute-force protection is a must-have! You can read more here
Thank you for sharing such in-depth post.
Thank you! Hope you liked it :)
Hi Sam,
I loved your post and an in-depth explanation of JWT.
I also wrote a similar post on Authentication in Nodejs. Feel Free to check it out :
Authentication in NodeJS With Express and Mongo - CodeLab #1
I would really like to know your feedback!
Thanks for the post. Gonna be implementing the user impersonation going forward for the apps that I build. The principle should suffice for a dotnet or JS backend.
Great article! But what are the params in .get(...) ? I only know it is path and cb.
How from isAuth you go to the next middleware ? Thanks
The parameters in between the path and the callback/controller are the Middlewares.
Those are functions that are executed before the route callback, and have access to req and res objects of express.
Middlewares can be used for anything you want, a few examples: check user roles, API Input validation, log specific information, add timestamps of last user's activity, etc.
Here is more information.
expressjs.com/en/guide/using-middl...
Awesome article! Keep writing!
Good approach, i didn't know argon2 before read your article!
Thanks!
Hi.. where was that randomBytes function coming from?
You can use the crypto module from Node (nodejs.org/api/crypto.html#crypto_...).