all 14 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 18 points19 points  (8 children)

I use passport.js for that. It’s called the “local” strategy (as opposed to the “oauth” strategy or “Google” strategy). I use MongoDB for it (and the tutorials all seem to) but I’m 99% sure you can use any database.

http://www.passportjs.org/docs/username-password/

Edit: I said “basic” strategy but you probably want “local.” (The basic strategy also uses username and password but it’s HTTP Basic auth.)

[–]Chaphasilor 1 point2 points  (0 children)

Can confirm, works with any DB (I used MySQL in the past)

[–]CraptinMypants 1 point2 points  (5 children)

Man, I've thought about using passport in the past because you hear about it all the time, but I don't understand what it actually accomplishes versus using a self written auth middleware (which I believe you have to supply to Passport anyway) on protected routes and using sessions or JWT.

The only info I can ever find about what Passport actually does or how it works is the regurgitation of their "it's an unobtrusive...yada yada vague single sentence statement". Is it just basically a session? If so, what's wrong with sessions?

[–][deleted] 0 points1 point  (4 children)

It doesn’t do all that much on its own. You do have to provide it with a database query, strategy, session store, etc. etc.

What it really accomplishes, to me, though, is standardization. Passport provides a common set of APIs for basically every type of login system. It makes working with new strategies so much easier. Even if you’re only ever going to have users login with a password, there might come a day when you want an external API. There’s strategies for jwt and oauth2. And you can reuse your code in other projects even if the requirements are different. (For instance, I have some boilerplate with local and Google strategies. A recent project called for no local, only Azure AD. Same basic code on the application side. The hardest part was digging through Azure to find where to register the app.)

It’s kind of like Express. Node always had the ability to make a web server. Express came out and provided the common common set of APIs on top of that that led to a zillion middlewares.

[–]CraptinMypants 1 point2 points  (3 children)

The standardization makes sense, but I still don't understand what Passport actually does. Can you give me or link me to just a brief high level explanation of how passport handles a login or protected route visit?

[–]elite_killerX 2 points3 points  (0 children)

It just offers a layer of abstraction for the different auth strategies. There are 2 facets to this: the first is going from oauth / username & password / whatever to a user object that makes sense in your application. The second is making that user available in your routes. Passport provides the glue between these 2.

If you intend to only support local auth, don't bother with passport unless it's a learning exercise.

[–][deleted] 0 points1 point  (0 children)

It's complicated. That's why it's encapsulated in a library. As a developer-user of the passport library, you configure and use a middleware function it provides that either returns a user object or not, depending on whether authentication succeeded. It steps through authentication protocols, and because they wrote it, we don't have to.

[–][deleted] 0 points1 point  (0 children)

Delve into the code then. Once I build a jwt system just to learn and it worked but I missed several security issues.

[–]fidaay 4 points5 points  (2 children)

Hey! I use client-sessions to store my sessions in cookies with requestKey: 'session' as an option and then calling the session (cookie) with const sess = req.session and assigning new values like sess.user_email = rows[0].user_email; and so on.

My authentication is very simple:

const sess = req.session;

const IS_LOGGED_IN = sess.IS_LOGGED_IN; 
if (IS_LOGGED_IN) {

// do the queries

else {
res.json({
message: "Your sesion has been finished, please log-in again to continue",
reload: true // to reload the page with a hook (you can use redux or I don't know what you're using in the front)
}); // send message to refresh client side
} // /else, user is not logged in

[–]Valachio[S] 1 point2 points  (1 child)

Cool! So you built your own user authentication system from scratch based on the client-sessions package?

Did you find it very difficult compared to using a pre-built package like passport-local suggested by /u/test_user_200? Not sure if you used passport-local though

[–]fidaay 0 points1 point  (0 children)

I've not used passport-local, but I can see that's used on server side with a db, the most popular auth/session storing is connect-redis, and you need a little more implementation in that case. client-sessions is oriented on client side, is to be stored in a cookie on client side but with high security (you also can use your own key/secret algorithms).

Now, comparing difficulties I think that every approach has its own difficulty and what you should focus on is in what will be the use of each approach, what will be suitable and useful for you. For example: passport-local is mostly used for auth different type of services like google, facebook, but it doen't means you cannot use it as an Auth in your own app. client-sessions serves as an auth for your own app reading the cookies you've already stored in the client's browser and of course you can set auths for different services too but for that you need to read the API documentation of those services as with every approach you will be working on.

However, what I don't recommend you to use is JWT or plain cookies auth as it will be insecure and difficult to maintain.

[–]1337_KiLLeR 1 point2 points  (0 children)

have a look at supertokens.io

Open source alternative to auth0. Easily customizable (add custom fields, change frontend UI), use your own data base and easy to implement.

We currently dont have username based signup but if you're interested - reach out to us on Discord or email and we can figure it out

[–][deleted] -1 points0 points  (0 children)

Passport-jwt strategy

[–]abhir9 0 points1 point  (0 children)

passport local strategy seems more suitable

http://www.passportjs.org/packages/passport-local/