Reputation: 75666
authenticate user with mongoose + express.js
What's the best way to authenticate a user with Mongoose and ExpreeJS.
I'm using mongoose 3.x and it looks like this package isn't being updated anymore: https://github.com/bnoguchi/mongoose-auth
Ideally I could authenticate user with twitter and facebook too.
Upvotes: 2
Views: 13776
Answers (3)
Reputation: 311865
Everyauth is another option, especially if you're looking for lots of flexibility and support for authenticating via third parties like twitter and facebook.
See this post from the author in another SO question for a good overview of its features and benefits.
Upvotes: 0
Reputation: 16395
I always prefer not to use a plugin or module for every problem. Using just mongoose you could do it like this:
Have a db.js for your mongoDB configuration
var mongoose = require('mongoose');
mongoose.connect("mongodb://...");
var userSchema = new mongoose.Schema({
username: String,
salt: String,
hash: String
});
exports.User = mongoose.model("user", userSchema);
Use TJ's pass.js file to hash passwords. It uses crypto.pbkdf2 for encryption.
Create a user by hand or use a form to allow self registration:
var db = require('./db');
var pwd = require('./pwd');
var user = new db.User();
user.username = "Admin";
pwd.hash("adminPassword", function(err, salt, hash) {
if (err) {
console.log(err);
}
user.salt = salt;
user.hash = hash;
user.save(function(err) {
if (err) {
console.log(err);
} else {
console.log("user saved");
}
});
});
Now you should have a user with username, encrypted password and hash in your db. To check on login use a middleware function:
function authenticate(name, pass, fn) {
db.User.findOne ({username: name}, function(err, user) {
if (!user) return fn(new Error('cannot find user'));
hash(pass, user.salt, function(err, hash){
if (err) return fn(err);
if (hash == user.hash) return fn(null, user);
fn(new Error('invalid password'));
})
})
}
app.post('/login', function(req, res){
authenticate(req.body.username, req.body.password, function(err, user){
if (user) {
req.session.regenerate(function(){
req.session.user = user;
res.redirect('back');
});
} else {
res.redirect('login');
}
});
});
// middleware
function restrict(req, res, next) {
if (req.session.user) {
next();
} else {
req.session.error = 'Access denied!';
res.redirect('/login');
}
}
// route with restrict middleware
app.get('/restricted', restrict, function(req, res){
res.send('Wahoo! restricted area');
});
Most of the code is taken from the auth example and I added the stuff for mongoose. Hope this helps!
Upvotes: 10
Reputation: 37206
I used this example when learning how to do this with MongoDB and Node:
https://github.com/braitsch/node-login
I think it is a really good isolated example of doing user authentication yourself. It uses bcrypt to hash and salt user passwords. and if you look inside AccountManager you can see how it works with the Mongo database.
However, if you wish to authenticate using other strategies I suggest you check out Passport.js. I haven't had a chance to use it, but I think it looks pretty well developed and simple enough. Perhaps you can update this page with your experience with it.
Upvotes: 3
Related Questions
- Authenticating Username and Password in nodejs with mongodb
- Handling Login Authorization with Node.js
- Authentication Practices with Node Express
- Authorization in node.js
- How do I authenticate with Node.js + Mongoose?
- How to do authentication with Node.js, Express and Mongoose?
- authentication using node.js and mongoose and expressjs and passportjs
- how to create a user with mongoose + express
- checking user auth
- Express + Mongoose login