DEV Community


Discussion on: Password-based authentication with GraphQL and Passport

wanzulfikri profile image

For local authentication, does Passport encrypt the password automatically?

I’ve no experience using an external library for authentication; my experience is limited to using bcryptjs to encrypt and decrypt the password during sign up and logins. If the user is authenticated, I’ll use JWT stored in cookie to maintain the authenticated state.

Anyway, thank you for writing this.

jkettmann profile image
Johannes Kettmann Author

Thanks a lot for the comment. Passport doesn't encrypt the password, it only provides a standardized way of getting a user according to a given set of credentials. If you only want to support password-based login for your users with GraphQL you could achieve the same functionality inside the resolvers without Passport. In your case you could do the following:

  1. Send the email and password to the GraphQL API via a mutation (same as here)
  2. Encrypt and hash the password inside the resolver (not implemented in this post but definitely necessary)
  3. Use the email and password hash to fetch the user from a database inside the resolver (this is done in the Passport graphql-local strategy here)
  4. Create a JWT and save it in a cookie (we use express-session instead)
  5. Use the JWT on subsequent request to authenticate the user (again express-session in combination with Passport)

In general, I would advise against using JWT for session management. This is why we use express-session in this tutorial which saves a session ID to the cookie instead. We didn't really cover it in this post but you can find more details here. Passport integrates really well with express-session.

Another big advantage of Passport is that it supports a lot of other ways to authenticate. You can plug in more "Strategies" and easily implement login via Facebook, Twitter, GitHub, Auth0 and many more.

wanzulfikri profile image
wanzulfikri • Edited

Thanks for the detailed response. I really appreciate it.

And thanks for the link as well, I see now why JWT might not be ideal for session-management. I’m currently in the planning phase for my next project and I am convinced in using Passport and express-session for authentication and authorization; Passport’s extensibility is a big plus too.

Bookmarking your article so I can refer to it in the future.

Sidenote: A fascinating discussion on HN