How authentication works with passport JS:
- import a passport strategy library, such as
import passportLocal from 'passport-local'
- create a verifyCallback function; this function accepts some parameters and then calls a callback function passed to it. For example, it might accept a username and password as parameters, and then a callback function named
done. This function will use the username to find the user in a database, then hash the password and compare it to the user's stored hashed-password. Finally it calls done(err, user), where err is an error (if any) and user is the authenticated user-object.
- instantiate your strategy using your verifyCallback function, something like
const strategy = new passportLocal.Strategy(verifyCallback)
- pass this strategy to passport, like
passport.use(strategy)
- define passport.serializeUser and passport.deserializeUser (if using passport sessions)
- use passport with your express app, like
app.use(passport.initialize()) and app.use(passport.session())
What this does:
- You can now use
passport.authenticate('strategyName', { successRedirect: '/welcome', failureRedirect: '/login'} as middleware inside of your app.post('/login') route. This allows you to create an authentication endpoint.
- Passport adds methods to your request object, such as
req.isAuthenticated(). This can be used to create authorized routes.
What we should build for our passport-strategy library:
- add a POST route that returns a challenge, like app.post('/challenge') that requires req.pubkey in the body. This route returns a challenge.
- a verifyCallback function for our passport strategy that accepts a signed challenge and verifies the legitimacy of the signed challenge. The developers can then either fetch this user from their database or they can generate a user for this pubkey--this implementation will be up to them, but we should add an example of how it can be done.
- devs using our library can then implement our strategy like
passport.use(new ourStrategy.Strategy({ config}, verifyCallback))
- user will be able hit an authentication route, like
app.post('/login', passport.authenticate('our-strategy', { config... }), (req, res) => { res.redirect('/welcome')})
How authentication works with passport JS:
import passportLocal from 'passport-local'done. This function will use the username to find the user in a database, then hash the password and compare it to the user's stored hashed-password. Finally it calls done(err, user), where err is an error (if any) and user is the authenticated user-object.const strategy = new passportLocal.Strategy(verifyCallback)passport.use(strategy)app.use(passport.initialize())andapp.use(passport.session())What this does:
passport.authenticate('strategyName', { successRedirect: '/welcome', failureRedirect: '/login'}as middleware inside of your app.post('/login') route. This allows you to create an authentication endpoint.req.isAuthenticated(). This can be used to create authorized routes.What we should build for our passport-strategy library:
passport.use(new ourStrategy.Strategy({ config}, verifyCallback))app.post('/login', passport.authenticate('our-strategy', { config... }), (req, res) => { res.redirect('/welcome')})