Authentication is an important issue when creating a dynamic web application. This article should clear things up and provide a basic introduction to Authentication with with Node.js and MongoDB
⚠️ 🔴 Warning: I wrote this tutorial in my earlier days when I started to code. Please be aware that this article is NOT kept up-to-date, as I cannot catch up with all the changes in the frameworks, libraries, etc in my articles. There was a security issue with the password conf, which I have removed (thanks to all the comments). Please check the comments section of this article to see some questions and their answers.
If you want to improve the article, you can open a PR on my Github repository. Just add or re-write the parts that are too complicated. Please send me an email and I will merge and add you as an author. :)
Thanks a lot, keep learning and stay motivated ⭐️
➡️ Github Repo is available here ⬅️
Authentication is for identifying users and provide different access rights and content depending on their id. In most cases the application provides a login form with certain credentials to verify a user.
It’s necessary to understand:
In this example here I will use
for writing the authentication.
For the login mask I will use the awesome template from w3layouts.
Following packages are used
The tutorial will be structured in:
I’ll start with a basic express starter setup, which simply creates a webserver and serves the static files from the template on the home route. (see on Github commit)
MongoDB is a document database, which stores JSON like objects. The model/schema describes what this objects should contain.
It should look something like this:
var mongoose = require('mongoose');
var UserSchema = new mongoose.Schema({
email: {
type: String,
unique: true,
required: true,
trim: true
},
username: {
type: String,
unique: true,
required: true,
trim: true
},
password: {
type: String,
required: true,
}
});
var User = mongoose.model('User', UserSchema);
module.exports = User;
if (req.body.email &&
req.body.username &&
req.body.password &&
req.body.passwordConf) {
var userData = {
email: req.body.email,
username: req.body.username,
password: req.body.password,
}
//use schema.create to insert data into the db
User.create(userData, function (err, user) {
if (err) {
return next(err)
} else {
return res.redirect('/profile');
}
});
}
db.users.find()
)Cryptographic hash functions take a piece of information and return a string, representing this information. Hash values cannot easily be “unhashed” or decrypted and that’s why they are a perfect fit for passwords.
Salt values are random data that is included with the input for the hash function.
In this tutorial we are using bcrypt.
So next:
//hashing a password before saving it to the database
UserSchema.pre('save', function (next) {
var user = this;
bcrypt.hash(user.password, 10, function (err, hash){
if (err) {
return next(err);
}
user.password = hash;
next();
})
});
Compare with my working commit if needed.
⭐ You have just reached 50% of the whole app and the hardest part is already finished! — Keep up! 🚀## Sessions and Cookies
HTTP is a stateless protocol, which means that web servers don’t keep track of who is visiting a page. Displaying specific content to logged-in users require this tracking. Therefore sessions with a session ID are created. Cookies are key/value pairs managed by browsers. Those correspond with the sessions of the server.
//use sessions for tracking logins
app.use(session({
secret: 'work hard',
resave: true,
saveUninitialized: false
}));
_id
) in the req.session.userId
//authenticate input against database
UserSchema.statics.authenticate = function (email, password, callback) {
User.findOne({ email: email })
.exec(function (err, user) {
if (err) {
return callback(err)
} else if (!user) {
var err = new Error('User not found.');
err.status = 401;
return callback(err);
}
bcrypt.compare(password, user.password, function (err, result) {
if (result === true) {
return callback(null, user);
} else {
return callback();
}
})
});
}
❗ Take your time to understand this block of code, since it is the key function in the whole authentication process in my opinion!
⭐ Now at this point your actual authentication is working. Congratulation!
Compare with my working commit if needed.
// GET /logout
router.get('/logout', function(req, res, next) {
if (req.session) {
// delete session object
req.session.destroy(function(err) {
if(err) {
return next(err);
} else {
return res.redirect('/');
}
});
}
});
There is much more to add but logging out and destroying the session is important for each authentication system! That’s why I’ve included it here as well.
Middleware runs after a request is received, but before a response is sent back. In this example the body-parser package is used as middleware. It converts incoming requests into a format that is easy to use for a JS program.
Middleware functions can be chained after each other and fit into the request/response cycle of the application. When writing custom middleware, next()
always has to be called at the end of that middleware to move to the next one in the cycle.
Middleware can be used in many cases in this example, however, for simplicity reasons, I just reference an example to give an idea.
Example: Creating middleware that requires a login for certain pages.
function requiresLogin(req, res, next) {
if (req.session && req.session.userId) {
return next();
} else {
var err = new Error('You must be logged in to view this page.');
err.status = 401;
return next(err);
}
}
router.get('/profile', mid.requiresLogin, function(req, res, next) {
//...
});
Writing your own middleware gives you the freedom for ultimate flexibility when refining authentication routes.
Currently sessions are stored in RAM. To store have more size we can connect the session store to MongoDB. I’ll use the connect-mongo package for that.
//use sessions for tracking logins
app.use(session({
secret: 'work hard',
resave: true,
saveUninitialized: false,
store: new MongoStore({
mongooseConnection: db
})
}));
Preview of the login/register mask
Checkout my repo on github for the code.
That’s how easy an authentication system can be implemented with Node.js and MongoDB.
If you want to follow along with my Github repo, be aware that I was refactoring my files constantly to fix issues and improve. So I’d suggest to just look at the finished version. Also note that my current develop environment is not optimized — I just started with VS Code and didn’t set up a lot, which is why many errors are overseen. It was more of a quick introduction to get the point about authentication across.
#node-js #mongodb