How to use passport.js on node to log in against the database

passport integrates well with express and has asynchronous methods to verify user / pass authenticity.

In my setup I use node-mysql and check with username and password (in hash MD5 ), and I've split the passport part in 3 parts:

• configuration
• Login authentication
• middleware verification of req.user

Note: So I realize the passport needs express-session since version 4 of expressjs is a separate module / middleware.

Like I did:

I first dealt with the passport configuration on all middleware routes. This includes passing the middlewares to the route where I have the secure part of the site: app.use('/admin', middleware .

Then I also configured the database interaction part (MySql via node-mysql ). Not including the initialization part of the DB, but together in the code the query that checks the user / pass against the database using the MD5 to generate the password hash.

After this part of the login, which is different from the middleware of the pages already authenticated, I configured the middleware that verifies that req.user is filled. The passport puts this property of request o user , so we can know that we are in an authorized / authenticated session.

My setup:

index.js

var express = require('express');
var passport = require('passport');
var session = require('express-session');

var app = express();
var sess = {
  secret: 'keyboard cat',
  cookie: {}
}

if (app.get('env') === 'production') {
  app.set('trust proxy', 1) // trust first proxy
  sess.cookie.secure = true // serve secure cookies
}

app.use('/admin',   session(sess));                         // enable sessions
app.use('/admin',   passport.initialize());                 // configuração do passport
app.use('/admin',   passport.session());                    // configuração do passport
app.use('/admin',   require('./routes/services/admin'));    // router para a zona que requer acesso

routes / services / admin.js

var md5 = require('md5');
var passport = require('passport');
var LocalStrategy = require('passport-local').Strategy;
var express = require('express');
var router = express.Router();

passport.use(new LocalStrategy(function(username, password, done) {
    // verificação de user/pass
    db.query('SELECT * FROM users WHERE username=? AND password=?', [username, md5(password)], function(err, rows){
        if (err) return done(err);
        var user = rows.length && rows[0].id; // podia passar mais info sobre o utilizador aqui
        done(null, user); // tudo ok! chamar a callback do passport
    });
}));

var authenticate = passport.authenticate('local', {
    // aqui pode configurar-se também sucessRedirect
    failureRedirect: '/admin/login',
    failureFlash: true
});

// configuração recomendada
passport.serializeUser(function(user, done) {
  done(null, user);
});
passport.deserializeUser(function(user, done) {
  done(null, user);
});

// middleware para verificar se a sessão está criada
function gateKeeper(req, res, next){
    if (req.user) next();
    else res.redirect('/admin/login');
}

// página de login
router.get('/login', function(req, res) {
    res.render('admin/login');
});

// tratar os dados de autenticação via POST com o middleware "authenticate"
router.post('/login', authenticate, function(req, res) {
    res.redirect('/admin/home');
});

// router para a parte segura, usando o middleware "gatekeeper"
router.get('/:page', gateKeeper, function(req, res) {
    res.send('Welcome to page ' + req.params.page); // resposta simplificada
});

Disclaimer:

I put this answer after learning how to gross. If there are errors, better ways or things that are missing: say! In the form of a new response or comment.

"Disclaimer" that say "for information I will explain something so that you do not think ill of me ...":)

More reading (in English):

• link
• link
• link
• link