Best way to handle authentication in Express?

Question

I recently watched a tutorial going over how to handle authentication in a node app with Express and MongoDB. It used sessions and cookies. That tutorial didn't discuss some significant concerns of mine such as how to handle password reset and rate limiting login requests. Upon further searching, I wasn't able to find any good tutorial or solution that would handle what I assume is pretty much required for every nodejs app that authenticates. I found JWT tokens and passport as other options, but am not sure how these fit into what I just learned with sessions and cookies. I do not need login with social media, just basic email password combo. Any direction that you can point me would be helpful. These aren't problems that I want to try to solve myself considering I'm dealing with security. I'm just frustrated that there isn't a single good tutorial/solution that handles all of the major things needed for a nodejs app that authenticates. Suggestions on what to do now?

Answer 1

To solve just this issue, I created an npm package that handles everything from hashing to jwt tokens to database management. You can easily authenticate your users using authenticate js. Here is the link to the package:

https://www.npmjs.com/package/authenticatejs

You can login, register and check if a user is logged in by just calling these functions in authenticatejs.

Answer 2

I faced the same issue my self, and this is what I ended up with (I'm sure it's not perfect but it works and I am constantly changing and improving.)

ANSWER:

Registration -

Just make sure that all the data you need is provided (validated), hash the password and save the new user to your DB

router.post('/register', (req, res)=>{

//data validations

//add user to database (hash password etc.)


   res.json({ok:1})
})

Login:

1. On login (assuming a user entry already exists in your datastore) I get the user, make sure it exists and the password (token\apikey etc.) provided matches the one in the DB and pass it on to the next middlewear function.
2. using the data from the user I generate a JWT token with the data I am interested in keeping in the JWT payload and sign using jsonwebtoken NPM module.
3. I send it back to the client. On the client I save the token locally and send it with to my express app as the header of any request that needs auth validations).

something like this:

router.post('/login', getUser, (req, res)=>{
    //getUser finds the user and attaches it to the req object

//put whatever you want in payload
  let payload = {username: req.user.name, uid: req.user.uid, role: req.user.role};
        let token = jwt.sign(payload, <secretOrKey>,
     {expiresIn: 60 * 60 * 24 * 7});
        res.json({ok: 1, token: token});


});

Request authentication

1. Get the token from the request header.
2. validate it using the jsonwebtoken
3. continue to next function or return error

The route will look Something like this:

req.get(`some/request/that/needs/auth`, isAuthenticated, (req,res)=>{
        //do what ever...

   });

isAuthenticated:

//---isAuthenticated
    function isAuthenticated(req, res, next){
const token = req.headers['<jwt token bearer>'];

    jwt.verify(token, 'your secret', function(err, decoded) {
     if (err){next(err)}
else {
req.user = decoded;
 next();}
});
    }

One final note:

I am aware this is far from perfect. For me this is still a work in progress to try to create a "best practice" auth mechanism. I wrote this answer as reference for beginner devs (such as myself) to try and provide a general overview about this use case (in expressJS). Hope this helps.

Some reading material (tutorials):

1. https://scotch.io/tutorials/authenticate-a-node-js-api-with-json-web-tokens
2. https://www.codementor.io/olatundegaruba/5-steps-to-authenticating-node-js-with-jwt-7ahb5dmyr
3. https://medium.freecodecamp.org/securing-node-js-restful-apis-with-json-web-tokens-9f811a92bb52