Node Four
Sessions, Cookies, and Authentication
Middleware Review
A middleware function is a function that fires between a request and the handler function for that request. There are two types of middleware: top-level and request-level. Top level middleware fires on every request, or a group of requests.
app.use((req, res, next) => {
console.log('custom top level middleware hit!')
next();
});
Request-level Middleware
Request-level middleware fires before a specific endpoints handler function.
app.get('/api/test', function(req, res, next){
console.log('request level one')
next();
}, function(req, res, next){
console.log('request level two')
next();
}, function(req, res){
console.log('handler function')
res.send('Send a response!');
})
What is a Cookie?
Cookies are small files that are stored on a browser. A common use for cookies is to allow a user to access their profile on a website without having to login every time they visit the website.
What is a Session?
A session is information keeping track of users cookies and other data. Remember, cookies and sessions are NOT the same thing.
What is a Session?
express-session
express-session is a package we can use to create sessions. It uses middleware to create a session and send back a cookie to the users browser to be stored. To setup express-session, install it from NPM:
npm install express-session
Then require it to your main server file:
const session = require('express-session')
express-session
Once required, we will use Top-level middleware with express-session:
app.use(session({
resave: false,
saveUninitialized: true,
secret: 'asdfjkl;',
cookie: {maxAge: 1000 * 60}
}));
should session save if no changes made to it
should new session save if no data was added
random string to protect the cookie, typically stored in .env file
object to add settings to the cookie, including the max age of the cookie in milliseconds
Authentication
Authentication is the process of verifying an individual is who they say they are. This is often done through login credentials(username and password, email and password, etc.). Authentication can be done through different methods such as encoding(HTTP does this) or encryption(HTTPS does this).
Authentication
When working with user passwords, we should follow some simple rules:
Do NOT store plain passwords in a database
Do NOT store encoded passwords in a database
Do NOT store encrypted passwords in a database
You right now -->
To ensure a password is safe, we need to store hashed passwords in the database
What is Hashing?
Hashing is a process of scrambling a password into a random string of characters, known as a hash. Hashes are stored to a database in place of the plain password.
Adding Salt
Salting is adding an extra set of random characters to a hash. This creates an extra level of security for a users password.
Bcrypt
bcrypt.js is a package that handles the hashing and salting of passwords. We can use this, paired with sessions, to help create authentication handler functions. To use bcrypt, first install it from NPM:
npm install bcryptjs
Then require it to the top of the controller containing your authentication handler functions:
const bcrypt = require('bcryptjs');
Using Bcrypt
To hash passwords, we need to be familiar with a couple of bcrypts methods:
let password = '12345';
let salt = bcrypt.genSaltSync(10);
let hash = bcrypt.hashSync(password, salt)
let hashedPassword = db.get_password();
let authenticated = bcrypt.compareSync(password, hashedPassword);
creates a salt
mixes the password and salt, then creates a hash
compares a password with the hash in the db
Authentication Endpoints
We will now build authentication endpoints, using bcrypt, and storing authenticated users on sessions. View the example code below:
Copy of Sessions, Cookies, Authentication
By Cole Finlayson
Copy of Sessions, Cookies, Authentication
- 143