Ads Top

Authentication with Node and Passport


When creating a new website (or dealing with an existing one), it is very important to get authentication correct if you need to implement it. Unfortunately, getting authentication correct is difficult task believe it or not.

Before getting into using Node and Passport for authentication, I suggest watching this quick video about how NOT to store passwords. Its a good "history" of how some people have (and some still do) store password. It also goes over hashing and salting as a good recommendation as to how you should deal with storing passwords if you do it on your own.



One thing mentioned in the video is the idea that, if possible, do not handle authentication on your own. This means, use a 3rd party like Google, Facebook, Github, or any other company that allows you to sign in using their authentication services.

This is where Passport comes in. From the Passport website:
Passport is authentication middleware for Node. It is designed to serve a singular purpose: authenticate requests. When writing modules, encapsulation is a virtue, so Passport delegates all other functionality to the application. This separation of concerns keeps code clean and maintainable, and makes Passport extremely easy to integrate into an application.

If you have used the internet in the past few years you may have seen some buttons or icons that look something like this

If you create an account or sign in with a service such as Facebook, you are essentially using a single sign-on technique using OAuth. Each one of those buttons pictured above (and many more not pictured) is an OAuth provider.

What is OAuth?
OAuth (Open Authorization) is an open standard for token-based authentication and authorization on the Internet. OAuth, which is pronounced "oh-auth," allows an end user's account information to be used by third-party services, such as Facebook, without exposing the user's password.
source : OAuth Definition

At this point we now know
1: Authentication is something that should not be taken lightly
2: Its great if you can leave it up to someone else
3: OAuth is a solution that these companies leverage to have a single sign-on solution

With this in mind, we can move forward with with a deeper discussion about using Passport and Node.
As stated above, Passport is a tool for setting up authentication when using Node. It is a middleware (what is middleware)

Passport Documentation
Its important when working with Passport to check out the official docs
There are a few key things to note here about the main site.

When going to the documentation section, you will see there is some general setup information. Below that, there are some links for Providers. These providers are some of the ones mentioned above (Facebook, Google, Twitter, etc ...). Each one of these will have corresponding configuration details. These configuration details are referred to as STRATEGIES.

Strategies are the implementation details that you can search for and implement. For example, if you click on Strategies it will bring up a search dialog that looks like this (searching for Google).



Clicking on OAuth for Google (the first one - passport-google-oauth) takes you to the git repo for the strategy you are looking to implement (view repo).

While these each have their own specific implementation details, they all follow the same basic pattern.

1: Signup for a development account to gain access to their development API
2: Add code to handle the authentication (follow docs examples)
3: Add code the handle routing (follow docs examples)

Once this is setup, Passport is essentially doing two things ...
Authenticating and redirecting

Once you signup with an OAuth service, you are granting permission for them to handle your login credentials (you need to be logged in to that service in your browser). Agreeing to this, you are granted permission via cookie/token and you are logged in.

General OAuth flow - Signup
Click Signup with Google/Facebook/Twitter/etc
Ask the user if they grant permission
Take the code from the URL (example.com/auth/google/callback?code=123)
Send the request to google with code included
Google sees the code and then responds with user details
Create a new record in DB with these user details

General OAuth flow - Login
Click login
Forward the request to Google/Facebook/Twitter/etc
Verify permission granted
Set user ID in cookie/token for the user
Successfully logged in

Example code using Node(express) and Passport using Google strategy for OAuth 2. Look to comments for further explanation.
** Note - this is not a full working example but rather a rough guide



Sources
David Rice OAuth Part 1 - 4 Youtube Series
Computerfile Youtube Channel - How NOT to store passwords
Passport JS Official Site
Full Stack Node With React Udemy Course (Stephen Grider)

No comments:

Powered by Blogger.