A user is directed to a login page where they are prompted for their username and password
This is sent to the server to a specific route '/login' using a POST method
The server will check to see if a user with that username exists. If this user does exist, then the password is examined to see if it matches the copy in the database.
Then a user session and a session hash is created and stored in the session storage.
A user session is a representation of the user usually stored in a key/value type database. The session object represents the logged in state of the user.
A session hash is created from the user session.
The session storage uses the session hash as a key, and the user session object as the value to store.
The session hash is then returned to be stored in the ...
A cookie is a serialized collection of key/value pairs that is sent to the user's browser. The cookie is stored on the browser and is sent to the server on every request.
In terms of authentication, the cookie will hold the session hash so that it can be used by the server to find a matching user session for the incoming user.
Cookies and Sessions can be thought of as two side to the same coin. Where one side (cookie) is kept with the user, while the other (session) is kept on the server.
Once the session and the cookie is generated, the server can set a header on the response that will store the cookie on the user's browser.
The cookie is always sent to the server on subsequent requests. The server will use the session hash in the cookie to try and find a matching user session in storage.
Once a match is found, the request can be decorated with the user's information and used throughout the request-response cycle.
Express-session is a middleware for express that handles the creation and storage of user session objects.
Passport.js is an authentication framework that handles the creation of the session and the cookie. It will also handle applying the cookie to the response.
It also decorates the request object with a few methods that ease the login/logout and authorization process.
Authentication = You are who you say you are
Authorization = You are allowed to view this page
Each route will need it's own bit of logic to determine if the user session attached to the request, is authorized to view the data within the route.
Passport will decorate the request with a .isAuthenticated() function that returns a boolean signalling whether the user has a valid session or not.
Passport will decorate the request object with a .logout() function that will remove the session from session storage, and updates the response with a header that will remove the cookie from the browser. Effectively "logging" out the user from both sides.
User registration is not handled by Passport.
Users can register with the server by sending a POST to a /register route where the server will take the given username and password and create a new user record with that data.