In the previous lessons,
we have seen various strategies for user authentication.
We started with basic authentication,
and then moved on to cookies and express sessions
as a way of authenticating and tracking users.
In this lesson we will look at Passport,
a node module that makes authentication quite easy,
unobtrusive, and straightforward to configure in your application.
Passport is nothing but an authentication middleware which supports
various strategies that can be used for user authentication,
including a local strategy like using username and password,
or even third party authentication or using OAuth or OAuth 2.0,
like using Facebook, Twitter,
or Google+, and so on.
We will look at some details about Passport,
the local authentication supported Passport.
And in the exercise that follows,
we will update our application to make use of
Passport and Passport-Local Node modules to enable.
local authentication using username and password.
So, as I stated a little bit earlier,
Passport is a very useful authentication middleware for Node.js applications.
It makes it simpler to implement authentication.
As we have seen in the previous exercises,
authentication involves a lot of repetitive code and repetitive tasks handling errors
and devising ways of checking
the user authentication and then authenticating the user and so on.
All this is simplified within Passport using
various strategies that can be used for authenticating users.
You can use a local strategy for example which is based upon
registering users into your system using a username and password,
and then thereafter authenticating them using the username and password.
Passport also supports OpenID based authentication
or OAuth or OAuth 2.0 based authentication,
as is supported by third party authenticators like Facebook,
Twitter, Google+, and so on.
We can also use what is called as
JSON web tokens as another way of authentication called token-based authentication.
We'll look at token-based authentication in the later part of this lesson.
Also, Passport supports sessions.
As we have seen in the previous exercise and the previous lesson,
express sessions are a easy way of tracking users on
the server side and being able to service incoming requests from clients.
To make use of Passport, of course,
we'll install the Passport module.
We'll also, in the exercise that follows,
install the Passport-Local module for
providing the local strategy for user authentication.
The use of Passport within our application is fairly straight forward.
On the routes on which we want to perform authentication,
we just specify passport authenticate and then specify
the specific authentication strategy that we want to use for the user authentication.
As an example here,
you see that we are applying
a local authentication by saying passport authenticate and local.
And so it uses the local strategy for authenticating the users.
If the authentication is successful,
then the middleware moves on to the next step,
where we can further process the incoming request.
So, upon completion of the successful authentication of the user passport,
Passport itself adds a user property to the request message.
So req.user becomes available for us with the user's information in there,
which we can subsequently use within
our express application to handle the request coming from specific users.
So this easily helps us to identify which client sent the request to
our application and consequently service
the request accordingly based upon the user's identity.
Together with Passport, we will install
another Passport related module called Passport-Local.
Passport-Local supports a strategy called as
the local strategy for authenticating users
with the standard username password combination.
So we set up the user schema,
as we did before,
and then use the user schema or model to track the username and
password and then Passport-Local depends upon that to verify the username and password.
So, to install it again,
being a Node module,
we install it using the standard procedure for installing the Passport-Local Node module.
Once the Passport-Local Node module is installed,
then we need to specify the local strategy and how it is actually used within Passport.
So, to specify a local strategy, we'll say;
passport.use, and so this will allow us to specify the local strategy to use.
So, having installed the Passport-Local,
we will declare a new local strategy and then supply
the corresponding verification function that is used for verifying the user.
If you are using a MongoDB as the back-end store, then,
to help us with Passport-Local strategy,
there is another module called as Passport-Local Mongoose.
The Passport-Local Mongoose module provides
a Mongoose plugin which will simplify the username and password login.
By installing the Passport-Local Mongoose plugin and
then using it when we define the user schema and the model,
and thereby using the support of the Passport-Local Mongoose module,
this mongoose plugin adds in the username and
a encrypted way of storing the password within our user model.
The encryption is done by using hashing
on the password that we use for registering users,
and the hash itself uses a salt field.
So if you know anything about cryptography, in cryptography,
the salt is a random string that is used for performing
the hashing operation on the password for storing.
So the hashed password is itself actually stored in our MongoDB database.
The actual password is not stored.
So, when the user tries to authenticate using the username and password,
the password will be hashed again and then compared with
the hashed passwords stored in our database and this is
all provided by the Mongoose plugin, the Passport-Local Mongoose.
In addition, the Passport-Local Mongoose also adds in additional methods that
are very useful for configuring the Passport-Local strategy.
So within our application when we define the user schema and the model,
we will import the Passport-Local Mongoose and then add
in as the plugin for the user schema.
This Passport-Local Mongoose module automatically
as I said adds the username field and also
a hashed password storage field using a salt value that it uses for doing the hashing,
and also provides additional methods that enable us
to configure our Passport-Local strategy.
If we are using the Passport-Local Mongoose module,
then the local strategy,
the Passport-Local Mongoose plugin supports on
the user model an authenticate method that will automatically do the authentication.
In the earlier slide I had shown you how we would implement the local strategy.
Now this is automatically provided for you by Passport-Local Mongoose
by simply saying new localstrategy user.authenticate.
Then we don't need to explicitly write the authentication code for the local strategy.
Also if you are using sessions that are supported by Passport,
then, for supporting sessions,
the user information needs to be serialized to
be stored with the session information on the server side and then,
when the request comes in,
from the session ID,
the user information needs to be deserialized to extract
the user information from our session information that is stored on the server side.
Now this serialization and
deserialization operation is already supported by Passport-Local Mongoose through
the serialize user and
the deserialize user methods that are available from the Passport-Local Mongoose plugin.
So having seen this,
we will now see in the exercise how easy it is to configure
local strategy for authenticating users using Passport,
Passport-Local, and Passport-Local Mongoose Node modules.