How to use passport.js to control access using the database and express.js middleware.
How to make login logic and how to know that the session is already authorized when the user has already logged in?
How to use passport.js to control access using the database and express.js middleware.
How to make login logic and how to know that the session is already authorized when the user has already logged in?
passport integrates well with express and has asynchronous methods to verify user / pass authenticity.
In my setup I use node-mysql and check with username
and password
(in hash MD5 ), and I've split the passport part in 3 parts:
req.user
Note: So I realize the passport needs express-session
since version 4 of expressjs
is a separate module / middleware.
I first dealt with the passport configuration on all middleware routes. This includes passing the middlewares to the route where I have the secure part of the site: app.use('/admin', middleware
.
Then I also configured the database interaction part (MySql via node-mysql ). Not including the initialization part of the DB, but together in the code the query that checks the user / pass against the database using the MD5 to generate the password hash.
After this part of the login, which is different from the middleware of the pages already authenticated, I configured the middleware that verifies that req.user
is filled. The passport
puts this property of request
o user
, so we can know that we are in an authorized / authenticated session.
My setup:
index.js
var express = require('express');
var passport = require('passport');
var session = require('express-session');
var app = express();
var sess = {
secret: 'keyboard cat',
cookie: {}
}
if (app.get('env') === 'production') {
app.set('trust proxy', 1) // trust first proxy
sess.cookie.secure = true // serve secure cookies
}
app.use('/admin', session(sess)); // enable sessions
app.use('/admin', passport.initialize()); // configuração do passport
app.use('/admin', passport.session()); // configuração do passport
app.use('/admin', require('./routes/services/admin')); // router para a zona que requer acesso
routes / services / admin.js
var md5 = require('md5');
var passport = require('passport');
var LocalStrategy = require('passport-local').Strategy;
var express = require('express');
var router = express.Router();
passport.use(new LocalStrategy(function(username, password, done) {
// verificação de user/pass
db.query('SELECT * FROM users WHERE username=? AND password=?', [username, md5(password)], function(err, rows){
if (err) return done(err);
var user = rows.length && rows[0].id; // podia passar mais info sobre o utilizador aqui
done(null, user); // tudo ok! chamar a callback do passport
});
}));
var authenticate = passport.authenticate('local', {
// aqui pode configurar-se também sucessRedirect
failureRedirect: '/admin/login',
failureFlash: true
});
// configuração recomendada
passport.serializeUser(function(user, done) {
done(null, user);
});
passport.deserializeUser(function(user, done) {
done(null, user);
});
// middleware para verificar se a sessão está criada
function gateKeeper(req, res, next){
if (req.user) next();
else res.redirect('/admin/login');
}
// página de login
router.get('/login', function(req, res) {
res.render('admin/login');
});
// tratar os dados de autenticação via POST com o middleware "authenticate"
router.post('/login', authenticate, function(req, res) {
res.redirect('/admin/home');
});
// router para a parte segura, usando o middleware "gatekeeper"
router.get('/:page', gateKeeper, function(req, res) {
res.send('Welcome to page ' + req.params.page); // resposta simplificada
});
Disclaimer:
I put this answer after learning how to gross. If there are errors, better ways or things that are missing: say! In the form of a new response or comment.
"Disclaimer" that say "for information I will explain something so that you do not think ill of me ...":)