Node.js With MongoDB Authentication

Node.js With MongoDB Authentication

Authentication is an important issue when creating a dynamic web application. This article should clear things up and provide a basic introduction to Authentication with with Node.js and MongoDB

Authentication is an important issue when creating a dynamic web application. This article should clear things up and provide a basic introduction to Authentication with with Node.js and MongoDB

⚠️ 🔴 Warning: I wrote this tutorial in my earlier days when I started to code. Please be aware that this article is NOT kept up-to-date, as I cannot catch up with all the changes in the frameworks, libraries, etc in my articles. There was a security issue with the password conf, which I have removed (thanks to all the comments). Please check the comments section of this article to see some questions and their answers.

If you want to improve the article, you can open a PR on my Github repository. Just add or re-write the parts that are too complicated. Please send me an email and I will merge and add you as an author. :)

Thanks a lot, keep learning and stay motivated ⭐️

➡️ Github Repo is available here ⬅️

📄 Table of contents

  • Authentication?
  • What I will use for this introduction
  • Development Environment
  • Dependencies
  • Structure
  • User registration
  • Connect to MongoDB
  • Create a schema
  • Insert data into MongoDB
  • Hashing and salting
  • Sessions and Cookies
  • Set up Sessions
  • Refining the app
  • Creating custom middleware
  • A note on scalability with sessions
  • Wrap up
  • Conclusion


Authentication is for identifying users and provide different access rights and content depending on their id. In most cases the application provides a login form with certain credentials to verify a user.

It’s necessary to understand:

  • authentication as
  • authorization as
  • a session
  • cookies

    What I will use for this introduction

    Development Environment

In this example here I will use

for writing the authentication.

For the login mask I will use the awesome template from w3layouts.


Following packages are used

  • body-parser (for parsing incoming requests)
  • express (to make the application run)
  • nodemon (restarting server when changes occur)
  • mongoose (object data modeling to simplify interactions with MongoDB)
  • bcrypt (for hashing and salting passwords)
  • express session (to handle sessions)
  • connect-mongo (for storing sessions in MongoDB)


The tutorial will be structured in:

  • User registration (setting up routes and database)
  • Sessions and Cookies (connecting them to login routes)
  • Creating custom middleware (to improve the performance)

    User registration

I’ll start with a basic express starter setup, which simply creates a webserver and serves the static files from the template on the home route. (see on Github commit)

Connect to MongoDB

  • install Mongoose
  • install mongodb
  • setup up mongod if you haven’t (tutorial)
  • be sure to start nodemon again with the running mongod on localhost!

    Create a schema

MongoDB is a document database, which stores JSON like objects. The model/schema describes what this objects should contain.

  • create a schema according to the docs and store it in an own folder
  • the schema should describe the fields we have in our form and specify the data it can expect

It should look something like this:

var mongoose = require('mongoose');
var UserSchema = new mongoose.Schema({
  email: {
    type: String,
    unique: true,
    required: true,
    trim: true
  username: {
    type: String,
    unique: true,
    required: true,
    trim: true
  password: {
    type: String,
    required: true,
var User = mongoose.model('User', UserSchema);
module.exports = User;

Insert data into MongoDB

  • add body-parser for parsing incoming request bodies in a middleware
  • create a POST route for sending the data to the server
  • store the values of the filled out form and store the data in the db with the schema
  • it should look like this:
if ( &&
  req.body.username &&
  req.body.password &&
  req.body.passwordConf) {
  var userData = {
    username: req.body.username,
    password: req.body.password,
  //use schema.create to insert data into the db
  User.create(userData, function (err, user) {
    if (err) {
      return next(err)
    } else {
      return res.redirect('/profile');
  • use the mongo shell to see if your data has been saved to the database (it should show a document in db.users.find() )

    Hashing and salting

Cryptographic hash functions take a piece of information and return a string, representing this information. Hash values cannot easily be “unhashed” or decrypted and that’s why they are a perfect fit for passwords.

Salt values are random data that is included with the input for the hash function.

In this tutorial we are using bcrypt.

So next:

  • install the bcrypt package
  • add a prehook to your mongoose schema. should look like this:
//hashing a password before saving it to the database
UserSchema.pre('save', function (next) {
  var user = this;
  bcrypt.hash(user.password, 10, function (err, hash){
    if (err) {
      return next(err);
    user.password = hash;
  • test with mongod if the new data is inserted with a hashed password (it should work)

Compare with my working commit if needed.

⭐ You have just reached 50% of the whole app and the hardest part is already finished! — Keep up! 🚀## Sessions and Cookies

HTTP is a stateless protocol, which means that web servers don’t keep track of who is visiting a page. Displaying specific content to logged-in users require this tracking. Therefore sessions with a session ID are created. Cookies are key/value pairs managed by browsers. Those correspond with the sessions of the server.

Set up Sessions

  • add the express session package
  • add the session middleware in your app. A simple one looks like that:
//use sessions for tracking logins
  secret: 'work hard',
  resave: true,
  saveUninitialized: false
  • store the MongoDB userId (_id) in the req.session.userId
  • setup the login route the same way you set up the register route (in the login you only have the username and password)
  • authenticate the input against the data in the database in the user schema. It should look like this:
//authenticate input against database
UserSchema.statics.authenticate = function (email, password, callback) {
  User.findOne({ email: email })
    .exec(function (err, user) {
      if (err) {
        return callback(err)
      } else if (!user) {
        var err = new Error('User not found.');
        err.status = 401;
        return callback(err);
      }, user.password, function (err, result) {
        if (result === true) {
          return callback(null, user);
        } else {
          return callback();

❗ Take your time to understand this block of code, since it is the key function in the whole authentication process in my opinion!

⭐ Now at this point your actual authentication is working. Congratulation! Compare with my working commit if needed.

Refining the app

  • make sure to adapt your layout accordingly to the sessions (hiding register fields and providing logout buttons)
  • create a middleware to make user IDs available in HTML
  • create a logout route that destroys the session id and redirects back to the home route. It can look like this:
// GET /logout
router.get('/logout', function(req, res, next) {
  if (req.session) {
    // delete session object
    req.session.destroy(function(err) {
      if(err) {
        return next(err);
      } else {
        return res.redirect('/');

There is much more to add but logging out and destroying the session is important for each authentication system! That’s why I’ve included it here as well.

Creating custom middleware

Middleware runs after a request is received, but before a response is sent back. In this example the body-parser package is used as middleware. It converts incoming requests into a format that is easy to use for a JS program.

Middleware functions can be chained after each other and fit into the request/response cycle of the application. When writing custom middleware, next() always has to be called at the end of that middleware to move to the next one in the cycle.

Middleware can be used in many cases in this example, however, for simplicity reasons, I just reference an example to give an idea.

Example: Creating middleware that requires a login for certain pages.

function requiresLogin(req, res, next) {
  if (req.session && req.session.userId) {
    return next();
  } else {
    var err = new Error('You must be logged in to view this page.');
    err.status = 401;
    return next(err);
router.get('/profile', mid.requiresLogin, function(req, res, next) {

Writing your own middleware gives you the freedom for ultimate flexibility when refining authentication routes.

A note on scalability with sessions

Currently sessions are stored in RAM. To store have more size we can connect the session store to MongoDB. I’ll use the connect-mongo package for that.

  • simply add the store like instructed on their docs. It should now look like this:
//use sessions for tracking logins
  secret: 'work hard',
  resave: true,
  saveUninitialized: false,
  store: new MongoStore({
    mongooseConnection: db
  • when checking with the mongo shell you should see how the new collection “sessions” is created. When logging in or out the data in that collection changes accordingly.

    Wrap up

  • always make sure to transfer credentials in an encrypted way from the browser to the server and backwards
  • be sure to add a security certificate to your HTTP (HTTPS)
  • keep in mind that this way (with sessions and cookies) was only one way to authenticate, others are for example
  • token based authentication with OAuth or JSON Web Tokens
  • or with the passport middleware

Preview of the login/register mask

Checkout my repo on github for the code.


That’s how easy an authentication system can be implemented with Node.js and MongoDB.

If you want to follow along with my Github repo, be aware that I was refactoring my files constantly to fix issues and improve. So I’d suggest to just look at the finished version. Also note that my current develop environment is not optimized — I just started with VS Code and didn’t set up a lot, which is why many errors are overseen. It was more of a quick introduction to get the point about authentication across.

node-js mongodb

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

How to Use Express.js, Node.js and MongoDB.js

In this post, I will show you how to use Express.js, Node.js and MongoDB.js. We will be creating a very simple Node application, that will allow users to input data that they want to store in a MongoDB database. It will also show all items that have been entered into the database.

How to Hire Node.js Developers And How Much Does It Cost?

A Guide to Hire Node.js Developers who can help you create fast and efficient web applications. Also, know how much does it cost to hire Node.js Developers.

Build a REST API using Node.js, Express.js, Mongoose.js and MongoDB

Node.js, Express.js, Mongoose.js, and MongoDB is a great combination for building easy and fast REST API. You will see how fast that combination than other existing frameworks because of Node.js is a packaged compilation of Google’s V8 JavaScript engine and it works on non-blocking and event-driven I/O. Express.js is a Javascript web server that has a complete function of web development including REST API.

Hands on with Node.Js Streams | Examples & Approach

The practical implications of having Streams in Node.js are vast. Nodejs Streams are a great way to handle data chunks and uncomplicate development.

Node.js Performance: Node.js vs. Io.js

You may already be aware that Raygun uses Node.JS for our API nodes that receive your precious crash reporting data (we also do node.js crash reporting if you’re interested). We’ve peaked in the past at more than 110,000 requests per second coming...