Node.js use passport with LocalStrategy in Authentication Part 3

Add Session      

       In this post, we will use passport Local Strategy combined with Session to store user status. We will start from the result in part 1 (use passport default manner). We can remind the usage of session in the post cookie and session.

        As far as I learn, the workflow of Passport and Session will be like below picture. Passport has serialized the userInfo that you passed into the callback(cb) in Strategy verify function. The information is saved into server session storage. When the user access the server later, the server retrieve user content in session storage according to the session ID in the cookie of user request. Passport automatically deserialize the content and load it to req.user (1st argument of handler of route). Then we can access user information in the body of the handler function.


        To implement, first we install the session module npm install express-session. Then, we import the session and add into express as middleware (app.use()). We can find the meaning of each property that passed to session in express-session website. We have to care for the session storage. The default way here is only for development and demonstration. We should specify the storage (regis, sqlite...) in production and release. We enable the passport to use session in authentication. The code now change to follows.

import express from "express";
import bodyParser from "body-parser";
import passport from "passport";
import {Strategy} from "passport-local";
import session from "express-session";

const app = express();

const PORT = 6000;

app.use(bodyParser.urlencoded({extends:false}));
app.use(bodyParser.json());

app.use(session({
secret: 'you should keep this in secret',
resave: false,
saveUninitialized: false,
}));

app.use(passport.authenticate('session'));

        Next, we need to implement passport.serializeUser() and passportdeserializeUser() method so that passport module can save user information into session after authentication and retrieve information back from session when the user request service afterward. 

         You have chance to select what property is going to be stored in the session in serializeUser() function.

passport.serializeUser(function(user, cb) {
process.nextTick(function() {
cb(null, { id: user.id, name: user.name });
});
});


passport.deserializeUser(function(user, cb) {
process.nextTick(function() {
return cb(null, user);
});
});

 The last thing, we need to delete the session:false property in the passport.autenticate() function. Now the passport can save userInfo to session. 

app.post(
"/login",
passport.authenticate(
"local",
{
successRedirect: "/secrets",
failureRedirect: "/login",
//session:false
}
)
);

I have modified the handler body of app.get("/secrets"). It will print the content of session in server console and return message contained user id and user name to the client.

app.get("/secrets", (req, res) =>{
console.log(req.session);
return res.send("This is secrets page. User " + req.user?.id
+ " name " + req.user?.name + " has access this route");
});

 Here is the console of server

Session has a property named "passport", which is a object having "user" object
 and  feedback of postman.

Postman receive message that have user id and user name

        We can find the code(file v2.1) in github that used at this stage.

Restrict access for some pages

         Now we can check the client if it has logined before by checking the content of req.user. This allow us to restrict anonymous access to some API service.

        From code v2.1, we can receive the secrets page message even we haven't login before (delete postman cookie and request GET /secrets again). We want to protect this route. We just call req.isAuthenticated() to check if the client has login before or not. isAuthenticated() return true if req.user has user property.

app.get("/secrets", (req, res) =>{
if(!req.isAuthenticated())
return res.redirect("/login");
console.log(req.session);
return res.send("This is secrets page. User " + req.user?.id
+ " name " + req.user?.name + " has access this route");
});

         Now, the server to redirect to GET /login and return login message to us when we call GET /secrets before login.

        You can find the code(v2.2) for this version in github.

 To find more explanation and example in passport website

Comments

Post a Comment

Popular posts from this blog

Use okhttp to download file and show progress bar

Image
  Okhttp also can be used to download files from the internet to the app-specific storage . In this post, download progress is shown by the progress bar. The outcome can be viewed in this link . First, Internet permission is required in the manifest file <uses-permission android :name = "android.permission.INTERNET" /> Then we add the dependency of Okhttp in the module’s build.gradle file. The download process is done in coroutines so kotlinx-coroutines dependency also is required implementation 'com.squareup.okhttp3:okhttp:4.9.3' implementation 'org.jetbrains.kotlinx:kotlinx-coroutines-android:1.7.3' The developer of okhttp library has provided the example for download and get the progress in https://github.com/square/okhttp/blob/master/samples/guide/src/main/java/okhttp3/recipes/Progress.java After studying the code, I implemented it in Kotlin and modified it a bit. A class is created to handle the download. The constructor has CoroutineScope and Prog...
Read more

Download File into app specific storage with Retrofit

Image
  In the previous post , DownloadManager is used to download files into the device’s public directory. If the file contains sensitive data, we hope the file can be saved into the app-specific storage rather than public directory. Therefore, we need another method to download. Retrofit is a type-safe  HTTP client which help us transfer information and data over a network. Dependency Add below dependency into module build.gradle file. implementation( "com.squareup.retrofit2:retrofit:2.9.0" ) implementation( "com.squareup.retrofit2:converter-gson:2.9.0" ) We add codes on the same module of DownloadManager. A button is added next to the DownLoadManager Button. When it is clicked, it will start to download the file using Retrofit. Implementation We first create a interface so that Retrofit can translate the java/Kotlin function to HTTP API.  The notation @Streaming is used for downloading large file so that it would not write too large data into memory at once. The do...
Read more

Unzipp file with Zip4j library

Image
  Java library has a built-in class java.util.zip.ZipFile and java.util.zip.ZipInputSteam. However, those class only can unzip files without a password.  For those zip files with password protected, we use 3rd party library Zip4j I have created a password protected zip file for testing. Structure like this. The name with ‘/’ is a directory. All files are photo in jpg format. Photo2/ 20190314_103435_HDR.jpg 20190314_112925_HDR.jpg 20190314_103702_HDR.jpg primary/ 20190316_121528_HDR.jpg secondary1/ 20190422_155924_HDR.jpg seconday2/ 20190314_103252_HDR.jpg  Test zip file download link: https://drive.google.com/uc?export=download&id=1XDMUGuvOPkTR2TH_Ikb5-2SIR7nXQ6yk Unzip password: aB3d Add dependency in the module gradle. implementation 'net.lingala.zip4j:zip4j:2.11.5' I have created a new module for this practice and copied the code used in the previous practice download file with Okhttp . Three ...
Read more