DEV Community

Cover image for 🛑 You don't need passport.js - Guide to node.js authentication ✌️

🛑 You don't need passport.js - Guide to node.js authentication ✌️

Sam on May 31, 2019

Originally posted on softwareontheroad.com Introduction While third-party authentication services like Google Firebase, AWS Cognito, an...
Collapse
 
cyril94440 profile image
Cyril Trosset

Hi there,
Thanks for your article.

Why would you save the salt in database? It's not used anywhere after saving as argon2 saves it on its own.

I have also implemented refresh tokens to minimize impact of tokens steal and restrict access to only one device.

Thanks

Collapse
 
tpcodex profile image
Tomas Agustin

I would like to know it too.
Please Sam, answer us! :P

Collapse
 
jsardev profile image
Jakub Sarnowski • Edited

Using JWTs for sessions is not a good idea unless you're on a microservice architecture and are communicating with multiple APIs with the same token. Otherwise, plain old sessions would be a lot better.

For more information and arguments, check out this post.

Collapse
 
santypk4 profile image
Sam

Sure, using JWT has its cons, like how to handle JWT steal, the system has to have a sort of 'black-list' feature to revoke those access, that implies keep track of generated JWTs and create a list in Redis or Memcache. Or using a unique secret to sign the JWT for every user, and change it.

In a future article of this series, I'll talk about using sessions and it's advantages.

Thanks for reading!

Collapse
 
jsardev profile image
Jakub Sarnowski

Exactly. The problem is that JWT's are awesome because they're stateless, but if you're using it as a session and you have to handle all those security vulnerabilities - it starts to be stateful and loses its main benefit.

Anyways, awesome article! :)

Collapse
 
animir profile image
Roman Voloboev • Edited

Nice article, thanks!

It is good to combine User not found and Incorrect password to something like User not found or incorrect password for better security.

Brute-force protection is a must-have! You can read more here

Collapse
 
entrptaher profile image
Md Abu Taher

Thank you for sharing such in-depth post.

Collapse
 
santypk4 profile image
Sam

Thank you! Hope you liked it :)

Collapse
 
dipakkr profile image
Deepak Kumar

Hi Sam,

I loved your post and an in-depth explanation of JWT.

I also wrote a similar post on Authentication in Nodejs. Feel Free to check it out :

Authentication in NodeJS With Express and Mongo - CodeLab #1

I would really like to know your feedback!

Collapse
 
tremainebuchanan profile image
Tremaine Buchanan

Thanks for the post. Gonna be implementing the user impersonation going forward for the apps that I build. The principle should suffice for a dotnet or JS backend.

Collapse
 
tomerl101 profile image
Tomer

Great article! But what are the params in .get(...) ? I only know it is path and cb.

How from isAuth you go to the next middleware ? Thanks

Collapse
 
santypk4 profile image
Sam

The parameters in between the path and the callback/controller are the Middlewares.

Those are functions that are executed before the route callback, and have access to req and res objects of express.
Middlewares can be used for anything you want, a few examples: check user roles, API Input validation, log specific information, add timestamps of last user's activity, etc.

Here is more information.
expressjs.com/en/guide/using-middl...

Collapse
 
arthuralves profile image
Arthur Alves

Awesome article! Keep writing!

Collapse
 
tpcodex profile image
Tomas Agustin

Good approach, i didn't know argon2 before read your article!
Thanks!

Collapse
 
mernstackman profile image
Ari

Hi.. where was that randomBytes function coming from?

Collapse
 
allenjoseph profile image
Allen Joseph

You can use the crypto module from Node (nodejs.org/api/crypto.html#crypto_...).