Express: Using Passport to authenticate using a session

1
votes

I am using Express 4 with Node.js - I have successfully implemented Passport to authenticate with a username/password. But how do I get Passport to authenticate with just session information?

How would I create a custom Passport strategy to take the session info and compare it with a particular user's info?

I am looking for this:

passport.use(new SessionStrategy(function(req,res,done){
  if(req.session blah blah blah){
???
   }
});
);

I really have no idea what the best way to do this is. Perhaps I store the user's latest session information on the backend-database. So instead of finding a user with their username, I find a user with the sessionid?

One answer seems to be the following:

This is the code to put the session-id into a cookie and retrieve the data when the user comes back. No strategy required.

passport.serializeUser(function(user, done) {
  done(null, user.id);
});

passport.deserializeUser(function(id, done) {
  User.findById(id, function (err, user) {
    done(err, user);
  });
});
2
expresspassport.js

2 Answers

1
votes

You have two options :

  1. Use persistent session store
  2. JSON Web Token

For implementing persistent session, you can use MongoDB session store or Redis Session store.

If you want to use redis then make use of connect-redis npm package. If you want to use MongoDb as session store then make use of connect-mongo npm package

There are some settings which you need to do in you app.js/server.js. In one of my demo i am using Redis Session store with PassportJS, if you are looking for example, feel free to look here.

If you want to use JSON web tokens, there are many different implementations available. I am using jsonwebtoken. I implemented this using PassportJS, ExpressJS and AngularJS in front End. For example look here. Tokens are encoded and stored in browser's local storage with a secret key.

I would suggest you to go for JSON web tokens, read it in detail because that is how most of the major web apps are developed.

Both of my examples are working prototype. Let me know if you need more help.

1
votes

The ideal way to do this is to store a user ID in the session (or a JWT as @NarendraSoni mentioned). The main idea is to store as little useful information as possible in the session, as you should treat it like it's publicly available to everyone.

If you do store just a user ID, for instance, then each time you receive a request (req.session.userId, for instance), you could simple execute a database query to retrieve that user by the ID.

This is fast (especially if you use a server-side cache like memcached or redis), and causes very little latency. It's also secure, and prevents leaking user information to the browser.

If you're looking for a simpler way to handle this stuff in your app, you might want to check out my authentication library: express-stormpath. It does all of this stuff out of the box, is very secure, and provides lots of helper utilities to get you going faster: you can store custom data in accounts (like mongo), you can restrict users based on permissions, you can do API authentication, etc.