Back to Express.js + MongoDB ⇦

Registration, authentication & authorization

- we use TOCKEN technique (means in first time we send login & pass, but next time, after we got token, we only attach tocken and don't need to type login and password every time (for every request))
- differences between Registration, authentication & authorization
- TASK what we plan to do
- Crypto making & hashing differences
- Headers+Payload(often user id)+SecretKey => though JWT.sign method === JWT token
Prepared instruments:
P.S. Take care about understanding user routes and auth routes. Auth routes are using user model, but at the same time the routes are different.

REGISTRATION

  • Add the route for registration
    routes\auth.routes.js

    See the Pen 44__Register-route by Andrii (@imitator) on CodePen.

    P.S. Remember about reexport in routes\index.js
    const auth = require('./auth.routes');
    module.exports = {auth};
    Also remember about route in main server.js (index.js)
    app.use('/api/v1/auth', routes.auth);
  • Main 2 steps in register
    1. Look at an user existing in DB
    2. Add user.

AUTHORIZATION

The whole this page is designed to use token technique for all users routes. So if user want to get some route, we have to verify him (authorize): means to verify token and give information about necessary route without login step.

In login step we used jwt.sign() method to generate token, so we also may use jwt.verify() method to this step (authorization) (Example in users/profile route (Authorization simplest - used in every CTRL)), but it is really simplest method one, & in practice often use passport + passport-jwt methods for verifying token.
Passport is like a middleman between application and some strategy, in our case is jwt-strategy.

Passport + passport-jwt authorization

  • npm i passport passport-jwt

  • We show two ways of using authorization via passport + passport-jwt, for testing them add

    • controllers\users\getUserProfileCTRL.js

      See the Pen 75_getUserProfileCTRL by Andrii (@imitator) on CodePen.

    • routes\users.routes.js

      • router.get('/profile', ctrl.getUserProfileCTRL);

        P.S. Take care about a place for this route, maybe it needs to place it before UPDATE, DELETE and getById routes.

        To check correct controller work, in this step, comment the field "data {}" in answer and make request to http://localhost:5555/api/v1/users/profile

  • Create passport config in

    • settings\passport-config.js

    See the Pen 76__ by Andrii (@imitator) on CodePen.

    • And import them to app.js

      require('./settings/passport-config');

  1. Automatically "Unauthorized" response & minimum settings in passport.authenticate() method

    • Add directly to users.routes.js middleware
      const passport = require('passport');
      router.get('/profile', passport.authenticate('jwt', { session: false }), ctrl.getUserProfileCTRL);

  2. Write callback for passport.authenticate() method and write "Unauthorized" response by hand

    So in this case all control with request and sending user (add "user" obj to "req" obj)

    req.user = user;

    to a next middleware we should make ourself

    • Create middleware in middlewares\authMDW.js

      See the Pen 77__passport.authenticate__middleware by Andrii (@imitator) on CodePen.

    • P.S. Reexport in middlewares\index.js

      const authMDW = require('./authMDW');

      module.exports = {
      authMDW,
      };
    • Use middleware for /profile route in routes\users.routes.js
      • const { authMDW } = require('../middlewares');
        router.get('/profile', authMDW, ctrl.getUserProfileCTRL);

        P.S. Remember to uncomment data {} in getUserProfileCTRL

LOGOUT

Main task in logout technique is deleting token in front- and back-end. F.e. in frontend token was deleted, but if someone copy token from local storage, he may goes to forbidden routes, b/c in backend the token wasn't deleted. There are some options for a user logout.

We show easiest way to delete a token in backend - saving it in db.