Skip to content

martiriera/upc-matt-nsaa

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

42 Commits
db
db
 
 
views
views
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
index.js
index.js
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
radiusOptions.js
radiusOptions.js
 
 

Repository files navigation

upc-matt-nsaa

Repo to allocate NSAA web auth class examples

Lab 2: WebAuth using Express.js and Passport.js

6.1. Exchange the JWT using cookies

When a user has successfully authenticated himself with the local strategy, a token is created and signed with the jwtSecret of the server. If no cookie has been created yet, the server defines a new one with the JWT token on it and it is attached to the res object. The server then redirects to the root of the site to tell the fortune to the user. The cookie expires after the milliseconds on the global variable cookieExpire. When this happens, a message is registered on the log and also an alert pops up to the user using the webpage (i.e. "Your credentials have expired, please login again for more fortune").

Note: Now the cookie expires after 30 secs (for testing purposes), this time may be changed to match the JWT expire claim.

6.2. Create the fortune-teller endpoint

When a user provides the credentials, the JWTStrategy is used to authenticate. The configuration of that strategy is quite simple. It only needs the cookieExtractor function (that can be found ond passport.js docs) and the jwtSecret. Now, a browser providing a cookie with a valid JWT (i.e. verified by the server) is able to access the fortune teller without providing the login credentials. So the main page can be refreshed as many times as you want until the token expires.

The random fortune string generated by the server, the username of the authenticated user and the expire time of the cookie are available on the fortune teller html view and are used on it. This is possible by configuring express properly and using the res.render function.

6.3. Add a logout endpoint

The logout endpoint simply clears the cookie on the res object and also stops the timer counting the expire time. Also an information message is logged by the server.

6.4. Add bcrypt or scrypt to the login process

For storing the user data, a MongoDB user model has been defined with Mongoose. This model hashes the introduced password before saving it on the database. It also has a pre method to validate the introduced password. The database is seeded with two users before running the server and the model is used on the LocalStrategy configuration in a quite simple way.

About

Repo to allocate NSAA web auth class examples

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages