Node.js use passport with LocalStrategy in Authentication Part 1

        When we implement the authentication of users, it is common to use passport module. It supports different methods of authentication: username and password(local), Bear (token), OAuth(authenicated by another trusted provider, eg Google, Facebook).....

        This post records my learning of using passport with local strategy  as my learning. The completed source code is in github repository.

First, we do the basic setup by applying express and body-parser module. Then we create 3 routes for testing.   

import express from "express";
import bodyParser from "body-parser";

const app = express();

const PORT = 6000;

app.use(bodyParser.urlencoded({extends:false}));
app.use(bodyParser.json());

app.get("/login", (req, res) =>{
return res.send("this is login page. Don't need authentication");
});

app.post("/login", (req, res)=>{
return res.send("POST login route");
});

app.get("/secrets", (req, res) =>{
return res.send("This is secrets page. Access this page after login");
});

app.listen(PORT, () =>
console.log(`start listening to port ${PORT}`)
);

        Use postman to verify the code. It get the correct response when access http:localhost:6000/login

postman get server response succefully 

Module passport and passport-local

        We install npm module passport and passport-local and import them just below body-parser. Instead of implementing multiple concrete authentication methods, module passport only provide the general interface. It helps to keep the program smaller in size as developer only loads the required authentication methods(or  "Strategy" in term of passport) into passport. The strategy defined in passport-local module will take username(or email in some application) and password as credential.

The code show first and explanation follows:

import express from "express";
import bodyParser from "body-parser";
import passport from "passport";
import {Strategy} from "passport-local";

const app = express();

const PORT = 6000;

app.use(bodyParser.urlencoded({extends:false}));
app.use(bodyParser.json());

app.get("/login", (req, res) =>{
return res.send("this is login page. Don't need authentication");
});

app.post(
"/login",
passport.authenticate(
"local",
{
successRedirect: "/secrets",
failureRedirect: "/",
session:false
}
)
);

app.get("/secrets", (req, res) =>{
return res.send("This is secrets page. Access this page after login");
});

app.listen(PORT, () =>
console.log(`start listening to port ${PORT}`)
);


const user = {name: "Tom", password:"123456"};

function getUserInfo(username){
if(username === user.name)
return user;
return null;
}

passport.use(
"local",
new Strategy(
{usernameField: "username", passwordField:"password"},
function verify(username, password, cb){
const userCredentials = getUserInfo(username);
if(!userCredentials)
return cb(null, false, { message:"User does not exist"});
if(password === userCredentials.password){
const userInfo = {};
userInfo.name = userCredentials.name;
//only provide the necessary info to callback function
return cb(null, userInfo);
}

return cb(null, false, {message: "incorrect password"});

}
)
);

       First, look at the code below app.listen() to see how to load the strategy into passport. User object is hard coded here for simplicity(for real case, user information should be stored in database. This will show later.). We load the strategy(authentication method) by calling passport.use() method. The 1st argument gives a name to this strategy. Since we can load multiple strategy into passport, we need a reference name to specify which strategy is used at what condition.

        The local strategy constructor has two arguments: option and verify function. The strategy parse the request body of POST action and pass argument to the verify function. It pass the body's property , which name equal to the value of usernameField as 1st argument of verify function and pass property which name equal to value of passwordField as 2nd argument. The 3rd argument of verify function is callback function. We pass message as 1st argument of the callback function(cb) when there is error. If user is authenticated, we pass user information as 2nd argument of the callback function for later use. We can add a object in the 3rd argument as extra context for application-specific use (e.g message that explain failure reason).

        We now has loaded the local strategy into passport and let's invoke it at the point we want authentication. When client submit username and password to login, the server goes to app.post("/login", .......) this route. Therefore, we call passport.authenticate() method here to execute the authentication process. 1st argument is the name of strategy we want to use (we name it above in the method passport.use()). 2nd argument provide simple operation of the result of authentication process. The property successRedirect is the GET route the server redirect to when authentication success while The property failureRedirect is the GET route when authentication failure. I will talk about session later, set false at this moment for .

The postman result when authentication success :

response when access "/secret" route

 The postman result when authentication fail :

response same as when access GET "/login" route

However, if there is error(1st arugemnt of cb function is not null inside the verify function when creating the local strategy), the server response a html file instead of failureRedirect. Since we hard copy user information, you may wonder why there is error. In real case, we will access database to get user information. Errors may occur at accessing the database.

 The postman result when there is error in cb function. We can use try-catch to handle the exception error for this case.

Postman result when pass a string to 1st arugment of Strategy cb function

You can see the source code (v1.1) up to this moment in github. 

If we want to control how the server respond instead of redirecting another route, please see Part 2 post.

 

 

For more detail, please go to the npm module page of passport and passport-local api.

 

 


 

Comments

Post a Comment

Popular posts from this blog

Use okhttp to download file and show progress bar

Image
  Okhttp also can be used to download files from the internet to the app-specific storage . In this post, download progress is shown by the progress bar. The outcome can be viewed in this link . First, Internet permission is required in the manifest file <uses-permission android :name = "android.permission.INTERNET" /> Then we add the dependency of Okhttp in the module’s build.gradle file. The download process is done in coroutines so kotlinx-coroutines dependency also is required implementation 'com.squareup.okhttp3:okhttp:4.9.3' implementation 'org.jetbrains.kotlinx:kotlinx-coroutines-android:1.7.3' The developer of okhttp library has provided the example for download and get the progress in https://github.com/square/okhttp/blob/master/samples/guide/src/main/java/okhttp3/recipes/Progress.java After studying the code, I implemented it in Kotlin and modified it a bit. A class is created to handle the download. The constructor has CoroutineScope and Prog...
Read more

Download File into app specific storage with Retrofit

Image
  In the previous post , DownloadManager is used to download files into the device’s public directory. If the file contains sensitive data, we hope the file can be saved into the app-specific storage rather than public directory. Therefore, we need another method to download. Retrofit is a type-safe  HTTP client which help us transfer information and data over a network. Dependency Add below dependency into module build.gradle file. implementation( "com.squareup.retrofit2:retrofit:2.9.0" ) implementation( "com.squareup.retrofit2:converter-gson:2.9.0" ) We add codes on the same module of DownloadManager. A button is added next to the DownLoadManager Button. When it is clicked, it will start to download the file using Retrofit. Implementation We first create a interface so that Retrofit can translate the java/Kotlin function to HTTP API.  The notation @Streaming is used for downloading large file so that it would not write too large data into memory at once. The do...
Read more

Unzipp file with Zip4j library

Image
  Java library has a built-in class java.util.zip.ZipFile and java.util.zip.ZipInputSteam. However, those class only can unzip files without a password.  For those zip files with password protected, we use 3rd party library Zip4j I have created a password protected zip file for testing. Structure like this. The name with ‘/’ is a directory. All files are photo in jpg format. Photo2/ 20190314_103435_HDR.jpg 20190314_112925_HDR.jpg 20190314_103702_HDR.jpg primary/ 20190316_121528_HDR.jpg secondary1/ 20190422_155924_HDR.jpg seconday2/ 20190314_103252_HDR.jpg  Test zip file download link: https://drive.google.com/uc?export=download&id=1XDMUGuvOPkTR2TH_Ikb5-2SIR7nXQ6yk Unzip password: aB3d Add dependency in the module gradle. implementation 'net.lingala.zip4j:zip4j:2.11.5' I have created a new module for this practice and copied the code used in the previous practice download file with Okhttp . Three ...
Read more