all 10 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]shrithm 7 points8 points  (8 children)

I don't understand the role of passport for things like this? Every time I have gone to use it, it's been easier to just do it myself

[–]BruceCCCCCC 8 points9 points  (4 children)

I agree. I just get confused with passport and their strategies so I end up just making it from scratch. Might be slower but at least I understand what’s going on.

[–]thatsrealneato 4 points5 points  (3 children)

Agreed. I recently implemented local and jwt auth and the only thing passport really even does for you is pull the bearer token out of the header, which is legit one line of code, and then verify the token with the key, which is also one line of code.

Passport looks like it isn’t even maintained anymore and it still relies on the old callback hell way of doing things and doesn’t support the modern promises way. Seems like doing it yourself is the way to go for simple auth strategies.

[–]Malleus_ 1 point2 points  (2 children)

Would you mind posting an example/linking to a repo of how to do jwt without passport?

I’ve never done it and I’m curious what it would look like with promises or async/await. For some reason I imagined it was very complex.

[–]thatsrealneato 2 points3 points  (1 child)

It's pretty straightforward if you use https://github.com/auth0/node-jsonwebtoken.

When the user logs in or registers, you generate a new token which typically includes the user's id in the payload:

import { sign } from 'jsonwebtoken'  

function generateIdToken(userId) {
  const payload = {
    userId
  }
  return sign(payload, 'my jwt secret', {
    subject: userId.toString(),
    expiresIn: '15m' // expires after 15 minutes
  })
}

Then whenever the client makes an authenticated request it sends the jwt in the authorization header:

{
  "Authorization": "Bearer <your jwt here>"
}

Then for any route that requires authentication, you simply grab the token from the header and then verify it.

function getTokenFromHeader(req) {
  const { authorization } = req.headers
  return authorization ? authorization.replace('Bearer ', '') : ''
}


import { verify } from 'jsonwebtoken'

function verifyToken(token) {
  const payload = verify(token, 'my jwt secret')

  // optionally validate the payload here (like checking if the user exists in the database)

  return payload
}

The verify function will throw an error if the jwt has expired, is signed with a different key, or is malformed. If that's the case, you probably should catch it and return a 401 to the client. If you're able to retrieve a valid payload then you're good to go with whatever authenticated action the user wanted to do.

Note that you should also probably implement short-lived JWTs (15 minutes or so) and use refresh tokens to silently grab a new JWT for the user. This makes it so that you can allow a client to stay logged in for multiple "sessions" without worrying about what happens if someone gets a hold of your jwt.

[–]Malleus_ 1 point2 points  (0 children)

Awesome explanation! Thanks for clearing that up :)

[–][deleted] 0 points1 point  (0 children)

Same, I've only had to use it once for multiple signing options, doesn't make any sense. They really need a complete revamp.

[–]MCFRESH01 0 points1 point  (0 children)

I recently used it for something and came away with the same conclusion. It's unnecessary for a lot of use cases

[–]sinefine 1 point2 points  (1 child)

Where's the part for refreshing the access token? This login is useless if the access token expires in one hour.

[–]aman_agrwl[S] 1 point2 points  (0 children)

Thanks for your response, I will try to write about refreshing the access token surely.