-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathw3_4_TokenBasedAuthentication
99 lines (83 loc) · 3.26 KB
/
w3_4_TokenBasedAuthentication
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
Token Based Authentication
--------------------------
Cookies+ Sesssion Authentication
--------------------------------
-> Cookies set on the client side by the server;
-> Cookies used as a storage for session ID that is used as an index server-side storage of session information;
-> Becomes unscalable when it is required to tracked million plus users, on the server side;
-> Needs to supports multiple client devices;
-> In cookie based authentication the user identifies themselves with the user name and password and the server will set the cookie on
the client side;
Why Token-Based Authentication? (Problems withe cookie-based authentication)
-------------------------------
-> Session authentication becomes a problem when we need stateless servers and scalability;
-> Mobile application platforms have a hard time handling cookies/ sessions;
-> Sharing authentication with other applications not feasible;
-> Cross-origin resource sharing (CORS) problem;
-> Cross-site request forgery (CSRF);
Token Based Authentication
----------------------------
i. User requests access with their username and password.
ii. Server validates credentials;
iii. Server creates a signed token and sends it to the client; Nothing stored on the server;
iv. All the subsequent requests from the client should include the token;
v. Server verifies the tojken and responds with data if validated;
JSON Web Tokens (JWT)
-----------------------
-> Token web standard;
-> standards based: IETF RFC 7519* (Internet Engineering Task Force Request For Comments)
-> self-contained : carry all the information necessary within itself;
-> shareable : can share it with other applications to act on your behalf;
------------------------------------------------------------------------------
Header | Payload | Signature
--------------------------------------------------------------------------------
* Header
------------
{
"typ" : "JWT",
"alg" : "HS256"//encrypption standard;
}
* Payload //information carried by the JSON token
------------
{
"$__": {
}
...
_doc: { //carries user information
}
...
}
*Signature
---------------
HMACSHA256(
base64UrlEncode(header)+"."+
base64UrlEncoded(payload),
secret
)
jsonwebtoken Node Module
---------------------------
-> Implementation of JSON web tokens support;
npm install jsonwebtoken --save
-> Provides several methods:
- sign() for signing and issuing token;
- verify() for verifying and decoding token and making it available on the request property in express;
Passport
---------
-> Authentication middleware for Node.js
-> Modular , flexible;
-> Supports various strategies for authentication:
* Local strategy (authenticate users locally using username and password);
* OpenID
* Oauth (Facebook, Twitter, G+ etc.) single sign-on
-> Installing
npm install passport --save
passport manages a lot of intricacies related to user authentication;
Passport-Local
--------------
-> Passport strategy for authenticating a user with username and password;
-> Installing: npm install passport-local --save
Passport-Local-Mongoose
-------------------------
-> Moongoose plugin to simplify username and password login;
-> npm install passport-local-mongoose --save
-> Makes available Moongoose schema support for managing users;