Reputation: 8413
Why everyone uses MongoDB for user authentication with Node.Js and Express
Almost every example I find for local authentication strategy combining Node.Js / Express.Js and Passport (or other popular modules) uses MongoDB.
I was wondering if anybody could answer me what are the advantages of this combination and if there are any other, lighter databases to use. For example, any example of anyone using Redis for this sort of thing? Or why not just use MySQL for user management?
Upvotes: 0
Views: 2141
Answers (1)
Reputation: 15793
While there is nothing wrong with using Redis as a user database per se (yes, it is a production DB not "just a cache") that doesn't mean it is a good idea - at least not without additional work.
The protocol your app would use to communicate with a Redis server is a plain text, unencrypted protocol. Thus by default you would be sending user authentication information over the wire in the clear.
You could, and should, work around this a bit by encrypting the user credentials - to include the username, prior to storing them in Redis. Alternatively you would need to set up an stunnel layer to encrypt the transmission entirely (though you would still be well advised to encrypt user passwords in the DB regardless of solution).
Doing this is possible, but complex. In my opinion this would negate the natural simplicity of Redis in the first place. It also adds a point of failure - the stunnel setup.
That said, if you were to nonetheless pursue such a route, the use of Redis would confer some nice benefits such as simple and easy to use user metrics tracking, session storage, etc. using the same layer and infrastructure. You could even integrate Redis' pub/sub feature for triggering events on user login attempts. Of course, you could implement all of these and still use a dedicated authentication system for user authentication such as LDAP, PAM based setups, using PotsgreSQL with SSL, etc..
As for what the data structure would look like in Redis, off the top of my head I would think something along the lines of a hash for each user where the username is the key, password (encrypted of course), items such as given name, surname, email address, last login time, etc. would each be fields in the hash. You could even make use of [HINCRBY][1] to include login attempts and failed login attempts values in the user hash.
If you needed to create groups or roles, you would define a hash for the group or role, then use a set to handle group/role membership.
For documentation on using hashes in Redis see the Redis Hash Documentation. For setting up Redis with an stunnel layer between server and proxy, try this tutorial.
Upvotes: 1
Related Questions
- How to use Mongoose/Mongodb with node.js- passport authentication
- Nodejs Do I need to use Passport
- Best way to handle authentication in Express?
- Why do we use connect-mongo with express-session, passport, and express?
- Authentication Practices with Node Express
- Node Express Backend. How to manage mongodb connections? Mongodb users or collection of users?
- Nodejs: Passport-local vs custom user auth
- authentication using node.js and mongoose and expressjs and passportjs
- mongodb and authenticate and passport in node.js
- Should I go with MongoDB auth support or simply bolt on a more application-specific approach?