In this tutorial, you will learn how to implement authentication in Node using Passport and MongoDB.
What Are Authentication and Authorization?
While authentication and authorization are sometimes used interchangeably, these two security concepts have different meanings. Authentication is the process of verifying a user is who they claim to be while authorization is the process of determining whether an authenticated user has access to certain parts of your application.
What Is Passport.js?
Passport.js (or Passport) is an authentication middleware for NodeJS that provides more than 500 strategies for authenticating users including passport-local which uses a username and password.
This tutorial uses passport-local and passport-jwt to secure routes.
How to Set Up User Authentication in NodeJS
Now you know a little about user authentication and Passport.js, we can look at how to set up authentication on NodeJS. Below, we’ve outlined the steps you’ll need to take.
Step 1: Set Up a Node Server
Create a folder named user-auth-nodejs and navigate to it using your terminal.
Next initialize package.json.
Since you will be using Express, a NodeJS backend framework, install it by running the following command.
Now create a file, app.js, and add the following code to create the server.
Step 2: Set Up the Database
You need a database to store user data. You will use mongoose to create a MongoDB data schema that defines the structure and type of data you will store in the database. Since you are storing user data, create a user schema.
Install mongoose.
Create a new file, userModel.js, and add the following.
Before storing the password, you need to encrypt it for security purposes. You will use bcryptjs, a very useful npm package that makes working with encrypted passwords easy.
Install bcryptjs.
Modify usermodel.js to encrypt the password before saving it to the database.
Here you are using a pre save hook to modify the password before it is saved. The idea is to store the hash version of the password instead of the plain text password. A hash is a long complex string generated from a plain text string.
Use isModified to check whether the password is changing since you only need to hash new passwords. Next, generate a salt and pass it with the plain text password to the hash method to generate the hashed password. Finally, replace the plain text password with the hashed password in the database.
Create db.js and configure the database.
In app.js, connect to the database.
Step 3: Set Up Passport
Install Passport and passport-local. You will use these packages to register and login users.
Create a new file, passportConfig.js, and import passport-local and the userModel.js.
Configure Passport to handle user registration.
In the above code, you are checking if the email is already in use. If the email does not exist, register the user. Note that you are also setting the username field to accept an email. By default, passport-local expects a username, so you need to tell it you are passing in an email instead.
Use passport-local to also handle user login.
Here, check whether the user exists in the database, and if they do, check if the password provided matches the one in the database. Note you also call the matchPassword() method on the user model so go to userModel.js file and add it.
This method compares the password from the user and the one in the database and returns true if they match.
Step 4: Set Up Authentication Routes
You now need to create the endpoints to which users will send data. First up is the signup route which will accept the email and password of a new user.
In app.js, use the passport authentication middleware you just created to register the user.
If successful, the signup route should return the created user.
Next, create the login route.
Step 5: Add Protected Routes
So far, you have used Passport to create a middleware that registers a user in the database and another that allows a registered user to sign in. Next, you will create an authorization middleware to protect sensitive routes using a JSON web token(JWT). To implement JWT authorization, you need to:
Generate JWT token. Pass the token to the user. The user will send it back in authorization requests. Verify the token sent back by the user.
You will use the jsonwebtoken package to handle JWTs.
Run the following command to install it.
npm i jsonwebtoken
Next, generate a token for each user that successfully logs in.
In app.js, import jsonwebtoken and modify the login route like below.
In a real-life application, you would use a more complicated secret key and store it in a configuration file.
The login route returns a token if successful.
Use passport-jwt to access protected routes.
In passportConfig.js, configure the passport-jwt.
Notice you are extracting the JWT from the authorization header instead of the request body. This prevents hackers from intercepting a request and grabbing the token.
To see how passport-jwt guards routes, create a protected route in app.js.
Only a request with a valid JWT returns the user data.
Now You’re Ready to Take Your User Authentication to the Next Level
In this tutorial, you learned how you can authenticate users using an email and a password with the help of Passport. It might seem daunting at first, but the process is relatively straightforward. You can go even further and use third-party identity providers supported by Passport such as Twitter, Facebook, and Google.
