User Authentication with PassportJS

My next adventure in learning Node centers around mastering some of most common operations performed on web sites.  Recently I dove into user management and authentication.  The most common way that a web site secures it self is with a user name/password and then a cookie.  Web sites need to use this cookie because your authentication information needs to stay static between round trips to the server.  The web server needs to store who you are and the fact that you are logged in.  In recent years this story has change has you can now login with a facebook or google account to websites that are not facebook or google.  My intent with Node is to just get down the basics so I’m only focusing on a basic user name/password situation, but it would sure be nice if I could scale it out and swap out different login providers.  To handle user authentication I discovered the “PassportJS” middle ware that does just that.  Passport defines the core functionality and then relies on different “strategies” to swap out different providers.  In my experimentation I focused on the “local” strategy, but there are dozens of different strategies that connect to different login and authentication providers that you can use.  The local strategy is basically a do it yourself option, perfect for learning.  Getting Passport working required three things:
Define your authentication “Strategy”
Tell Passport how to serialize/deserialize users

Make sure you have the session enabled

My Strategy

To get going, I defined the implementation to my local strategy, which is simply to compare a login attempt to a hard coded list of user names/passwords.  It goes without saying that this is terrible practice, but I’m practicing.  A real life local strategy would call out to a database, hash the password and check for a match between user name and hashed passwords; oh, and not surface the user’s password out to the rest of the application.


Second thing is to tell Passport how to serialize and deserialize user records.  When a user visits a page on your application, Passpost will hydrate the user record for you so that your application can have access to details about the user visiting the website.  In my example, that would mean that I could have access to the user’s name, password and id.  If this was a true local authentication, then I would be deserializing a user by executing a database call with a session identifier and pulling out a users information and then extending a session, certainly not leaking out a user’s password.

Remembering who you are

Unless you cache something off, the web server will forget every thing about your current request the next time you click on a link in the application.  I understood that in concept but the implementation in Node was lost to me.  Every blog post and example I read said that I only needed to define the above three functions and register them into Passport to have it start authenticating users.  However, every page load after that initial login was unauthenticated.  The secret that was missing was the Express Session.  Why was I missing that to begin with?  All the examples and blogs were out of date.  ExpressJS no longer bundles add ons, like session, in the core node package, they needed to be added and configured separately.  As soon as I added the “Express-Session” package and added a line to initialize it everything started working.  Cookies were set on the browser and user logins persisted across page loads.  My app started remembering who I was between pages views.