Authentication is an important aspect of web development, which ensures that users accessing an application are who they claim to be. In Express, several authentication strategies are available that help you secure your applications by verifying user identities.
In this article, we will cover the following authentication strategies available in Express
Table of Content
Prerequisites
Different Types of Authentication Patterns:
Authentication patterns are used to manage user authentication based on whether or not the server keeps track of or maintains user state or data. There are two types of authentication patterns:
1. Stateless Authentication
The server does not store any data or state of the user between requests. It means each request from the client/ User to the server contains all the data needed to authenticate the user.
Some Stateless authentication strategies in ExpressJS are
- Basic Authentication
- Token-Based Authentication
- OAuth Authentication (when implemented with stateless tokens)
A. Basic Authentication
- Basic Authentication is one of the simplest and most widely used auth strategy across the web.
- In express, it involves sending the user’s credentials i.e username, and password with each HTTP request coded in “base64-encoded format”
- Though it is easy to implement, its base64-encoded format can be easily decoded so it is recommended to use this method only when coupled with a secure transport layer such as HTTPS.
- You can use express-basic-auth middleware in Express to implement this authentication method.
//app.jsconst express = require("express");
const basicAuth = require("express-basic-auth");
const app = express();app.use( basicAuth({
users: { username: "password" },
challenge: true,
unauthorizedResponse:
"Unauthorized access. Please provide valid credentials.",
})
);app.get("/secure-data", (req, res) => {
res.send("This is secure data that requires valid credentials.");
});const port = 3000;app.listen(port, () => { console.log(`Server is running on http://localhost:${port}`);
}); |
B. Token-Based Authentication:
- It is a more secure and scalable alternative to basic authentication.
- JSON Web Tokens(JWT) are commonly used in Express to implement token-based authentication.
- When the user logs in, the server generates a token containing the user’s information.
- Then the server sends the token to the client in response.
- The client stores the token in the form of a cookie or local storage.
- In the subsequent request, the client includes this token in the header, enabling the server to validate the user.
- The features of token-based auth include expiration time and digital signatures enhancing the security and integrity of the data.
//app.jsconst jwt = require("jsonwebtoken");
// Generating a tokenconst token = jwt.sign({ userId: "246" }, "secretKey", { expiresIn: "2h" });
// Verifying the tokenjwt.verify(token, "secretKey", (err, decoded) => {
if (err) {
// Token is invalid
} else {
// Token is valid, and decoded contains user information
}
}); |
C. OAuth Authentication
- OAuth (Open Authorization) is an industry-standard protocol for authentication.
- OAuth enables users to grant third-party applications limited access to their resources without sharing credentials (passwords).
- In Express JS with the help of Passport.JS, one can integrate OAuth authentication strategies for popular providers such as Google, Twitter, or Facebook.
- OAuth leverages the existing credentials from trusted providers, offering a secure user experience.
//app.jsconst passport = require("passport");
const GoogleStrategy = require("passport-google-oauth20").Strategy;
passport.use( new GoogleStrategy(
{
clientID: "your-id",
clientSecret: "your-secret",
},
(accessToken, refreshToken, profile, done) => {
// Use profile information to create or authenticate a user
// Call done(null, user) upon success
}
)
);app.get( "/auth/google",
passport.authenticate("google", { scope: ["profile", "email"] })
);app.get( "/auth/google/callback",
passport.authenticate("google", {
successRedirect: "/dashboard",
failureRedirect: "/login",
})
); |
2. Stateful Authentication
In this authentication pattern, the Server stores the state or data of the user about the user session or authentication state. The server uses this information/ Data to authenticate the user. Stateful authentication uses cookies to identify the user with their request. In Express.js Authentication strategies such as Passport.js and Middleware-based authentication can be both stateful or stateless depending on the use case and implementation chosen by developers.
A. Passport.js Middleware
- Passport.js is the authentication middleware for Node.js applications, especially for frameworks like ExpressJS.
- It supports various strategies such as local authentication, OAuth, OpenID, and others.
- It’s flexible to allow developers to choose the strategies that align with their web app the best.
- Passport.JS delegates the intricacies of different strategies to specialized modules.
- This modular design makes it easy to integrate for changing requirements.
const passport = require('passport');
const LocalStrategy = require('passport-local').Strategy;
passport.use(new LocalStrategy(
(username, password, done) => {
// Validate user credentials
// If valid, call done(null, user)
// Otherwise, call done(null, false, { message: 'Incorrect credentials.' })
}
));app.post('/login', passport.authenticate('local', {
successRedirect: '/dashboard',
failureRedirect: '/login',
failureFlash: true
})); |
B. Middleware-Based Authentication
- Middleware-based authentications involve using custom middleware functions for authorization
- Middleware functions are the functions that have access to the request, response, and the next function in the application’s request-response cycle
- They can modify request and response objects, call the next function, and end the request-response cycle in the stack.
- Middleware-based authentication offers maximum flexibility among others. It allows developers to customize authentication logic to specific application requirements.
function authenticate(req, res, next) {
// Custom authentication logic
if (req.headers.authorization === 'valid-token') {
return next(); // User is authenticated
} else {
return res.status(401).json({ message: 'Unauthorized access.' });
}
}app.get('/protected-route', authenticate, (req, res) => {
// Route handling logic for authenticated users
}); |
Conclusion
Express provides many strategies for authentication and authorization, each works at specific use cases and requirements. The choice of choosing the authentication strategy for your application depends on the nature of your app, industry standards, and the sensitivity of user data.