Securing user data is more important than ever as web applications handle sensitive information. In this blog, we'll explore various NodeJS Authentication Methods to help protect your Node.js applications. We'll start by understanding the basics of authentication in Node and authorization, then move on to session-based and token-based authentication with practical code examples.
We'll also cover advanced techniques like two-factor authentication (2FA), passwordless authentication, and social login methods. By the end of this guide, you'll have a solid grasp of authentication for Node.js methods, ensuring your applications are secure and your users' data is safe.
What is Authentication in Node?
It can appear that authorization and authentication are the same things. But there is a significant distinction between entering a building (authentication) and what you can do inside (authorization).
The act of authenticating a user involves getting credentials and utilizing those credentials to confirm the person's identity. The authorization process starts if the certificates are legitimate.
We all go through the authentication in node.js procedure every day, whether at work (signing onto your computer) or at home, so you are undoubtedly already familiar with it (passwords or logging into a website).Many"things" connected to the Internet demand credentials to confirm your identity.
Medium
Authentication in Node.jsTechniques
- Using a password for authentication:The easiest method of authenticating is this one. It needs the password associated with the specifiedusername. The user will be successfully authenticated if the password and username match and both information match the system's database.
- Password-free identification:A link or OTP (one-time password) is sent to the user's registered mobile number or phone number in place of a password in this procedure. Authentication in Node JS based on an OTP can also be mentioned.
- 2FA/MFA:The highest level of authentication in Node is known as 2FA/MFA or two-factor authentication/multi-factor authentication.Authenticatingthe userrequires additional PIN or security questions.
- One-time password:Access to numerous applications can be made possible by using single sign-on or SSO. Once logged in, the user can immediately sign into all other online apps using the same centralized directory.
- Social Authentication:Social authentication checks the user using the already-existing login credentials for the relevant social network; it does not call for additional security.
Types ofAuthenticationsinNode.js
1. Session Based Authentication in Node
The session-based authentication is summarized in this figure quite simply. Let's put it into code to make it clearer.
First,create Node.js project andrun the following line of code from your project directory's terminal.
npminstall express express-session mongoose connect-mongoconstexpress = require('express');constapp =express();constmongoose = require('mongoose');constMongoStore= require('connect-mongo');constsession = require('express-session');awaitmongoose.connect('your_mongo_url', (err,db) => { console.log('MongoDB Connected....'); });app.get('/', (req,res)=>{ res.send('<h1>HelloWorld!</h1>') })app.listen(3000, () =>console.log(`Server running on 3000`));
This section of code will launch our server on Port 3000.
Let's now set up the MongoDB Store to store sessions.
app.use(session({ secret: 'fiwafhiwfwhvuwvu9hvvvwv', // Never ever share this secret in production, keep this in separate file on environmental variable resave: false, saveUninitialized: true, cookie: {maxAge:oneDay}, store:MongoStore.create({ mongoUrl: 'your_mongo_url' })}));
This section of code created an empty Session object for a request using the express-session package.
In ourMongoDBdatabase, this will therefore create a new empty session with the collection name sessions.
Let's build a user login route.
app.post('/login', async (req, res) => { const{ username,password }=req.body; try { let user = awaitUser.findOne({ email:username }) req.session.userId= user.id; console.log(req.session); res.redirect('/dashboard') } catch (err) { console.log(err); res.json({msg: 'Server Error! Please reload page' }); }})
This block of code is now crucial. So, when a user uses their username and password to access their account, we send a request to our server and keep it in the session.Req.session.userIdkeeps theuser'sdistinct _id in the session, and the server generates a special session id and stores it in a cookie that is sent back to the client and kept in the client's browser.The header of every request the client sends to the server will include this cookie.Wecanauthenticate that specific useronthe server side by using that cookie in the header and collecting the user'suserId.
module.exports.authentication= async (req, res, next) => { constuserId=req.session.userId; if (!userId) { returnres.redirect('/login?q=session-expired'); } try { let user = awaitUser.findById(userId); if(!user) { returnres.redirect('/login?q=session-expired'); } next(); } catch (err) { console.log(err); res.json({msg: 'Server error. Please reload pageafter sometime' }) }};
This type of middleware function can be developed so that we can authenticate the user for each request made on protected routes, such as dashboards, booking histories, payment routes, etc., and then display the appropriate information based on the user's preferences.
2. Token Based Authentication in Node JS
If a user logsin using the proper credentials, token-based authentication generates a token (a lengthy string of random alphanumeric characters) and sends it back to the client's browser in which it is saved (inlocalStorage,SessionStorageor cookie). Now, each time a user sends a request to the server, the token they previously stored in their browser is sent back to the server, where it is checked by some middleware before returning the necessary resources.
Let's put it into code.
First, create an emptynode appand run the following command:
npminstall expressjsonwebtokenmongooseconstexpress = require('express');constapp =express();constmongoose = require('mongoose');constjwt= require('jsonwebtoken');awaitmongoose.connect('your_mongo_url', (err,db) => { console.log('MongoDB Connected....'); });app.get('/', (req,res)=>{ res.send('<h1>HelloWorld!</h1>');})app.listen(3000, () =>console.log(`Server running on 3000`));
This section of code will launch our server on Port 3000.
app.post("/login", async (req, res) => { try { const{ username,password }=req.body; constuser = awaitUser.findOne({ username }); if(!user) { returnres.json({msg: "Please enter a valid username" }); } constaccessToken=jwt.sign( { username, id:user._id}, JWT_SECRET, { expiresIn:process.env.NODE_ENV=== "production" ?"6h" :"2 days", } ); res.json({msg: "User logged in!",accessToken}); } catch (err) { console.log(err); res.status(503).json({msg: "Server error!" }); }});
Therefore, the code block above posts the login information and logs the user in. Let's see how thejwt.sign() function generates our access token.
A new web token can be created using thesign() method of the JWT (Json Web Token) in order to covertly include user information. Thejwt.sign() function has three parameters. Let's talk about them one by one.
- The data that will be saved in the token. Either a string or ajavascriptobject may be used. In this example, the access token had the username and id (amongodb-generated unique id).
- The JWT SECRET is the second parameter. It is crucial not to display it during production because it could be anything (a random string). Environment variables should be used to store the JWT SECRET. Later, it will be applied to authenticate the user and check the JWT Token.
- The third parameter refers to the access token's optional attributes, such as the expiration date,httpOnly, and others.
This function will provide us ajwtaccess token, which is a string of randomly generated characters. Possibly like this:
eyJhbGciOiJIUzI1NiJ9.eyJpZCI6IjYwZndmNzA5N2ZmN2YwOTdmMDk5IiwidXNlcm5hbWUiOiJsYXZpc2hnb3lhbCJ9.kNPmoyim0KbrHw6Fl2NPdUWO3UdZ1cr3rFH4eZy9Dig
Furthermore, to see that this token includes user details, open a new tab on your browser, visit to https://jwt.io, and paste the above access token in the encoded input box to get the user id and username as displayed below.
The process for encoding the token is in the first part, followed by the user information we submitted and the JWT Secret, which will be used to validate the user later (which we'll do right now).
constauthenticateToken= (req, res, next) => {constauthHeader=req.headers["authorization"];consttoken =authHeader&&authHeader.split("")[1]; if (token === null) returnres.status(401).json({msg: "Not Authorized" });jwt.verify(token, JWT_SECRET, (err, user) => { if (err) returnres.status(401).json({msg:err }); req.user= user; next(); });};
401 is the status When the client supplies either no credentials or insufficient credentials referencing Unauthorized.
Afterthis data block has verified the incoming JWT token and verified the user's identity, we can continue with the rest of the data handling. Three parameters are passed tojwt.verify(), the first of which is the token that we'll get from the client. Whether cookies or headers can be used to obtain the token. The authorization header is where the token is sent in this case.
Now, all protected routes can utilize the aboveauthenticateTokenmiddleware method to check whether a user isauthorizedto access data there. As an illustration:
app.get("/dashboard",authenticateToken, (req,res)=>{ res.send('<h1>Welcome to dashboard</h1>')})
Therefore, we utilized theauthenticateTokenmiddleware method in the code above,If the client's request has a valid JWT token, the user will get the Welcome to dashboard header otherwise.
3. PasswordlessAuthentication
The other forms of authentication in Node cannot even remotely compare to this one. To log in, no credentials are required. You will receive a magic link or one-timepassword each time you wish to log in; all you need is an email address or phone number linked to an account. When you click the link, the app opens,and you willhavealready logged in. After that, the magic link is no longer active and cannot be used by anybody else.
A JWT is also generated along with the magic link when it is created. In this way, authentication takes place. It's much more difficult for hackers to break into your machine using this login technique.
importcorsfrom "cors";import express from "express";constPORT =process.env.PORT|| 4000;constapp =express();// Set up middlewareapp.use(cors());app.use(express.json());app.use(express.urlencoded({ extended:false }));// Login endpointapp.post("/login", (req, res) => {constemail =req.body.email; if(!email) { res.statusCode(403); res.send({ message: "There is no email address that matches this.", }); } if (email) { res.statusCode(200); res.send(email); }});// Start up the server on the port defined in the environmentconstserver =app.listen(PORT, () => {console.info("Server running on port " + PORT)})export default server
After setting up this foundational server, we can begin including more features. Let's add the email service we'll be using right away. Importnodemailerafter adding it to yourpackage.json.
importnodeMailerfrom "nodemailer";After that, we'll create an email transporter below the middleware. This code creates the email template with some basic HTML and configuresnodemailer.
consttransport =nodeMailer.createTransport({ host:process.env.EMAIL_HOST, port: 587, auth: { user:process.env.EMAIL_USER, pass:process.env.EMAIL_PASSWORD }});// Make email template for magic linkconstemailTemplate=({ username,link }) => ` <h2>Hey ${username}</h2> <p>Here's the login link you just requested:</p> <p>${link}</p>
The token that contains the user's information must then be created. This is merely an illustration of some of the fundamental components that a token mightcontain. User permissions, unique access codes, and other details that would be useful in your programme could also be included.
constmakeToken= (email) => {constexpirationDate= newDate();expirationDate.setHours(new Date().getHours() + 1); returnjwt.sign({ email,expirationDate},process.env.JWT_SECRET_KEY);};
An alternate approach to learning more aboutNode.js appsand environment variables is to go through the Node.js certificationbyknowledgeHut .
Guide to Node.jsUser Authentication with Auth0
You may secure your web application stack without being an expert in identity standards like OAuth 2.0 or OpenID Connect with the aid of Auth0. You must first incorporate Auth0 into your application. When users need to log in, your application will reroute them to an Auth0 customizable login page. When users successfully log in, Auth0 returns them to your app with JSON Web Tokens (JWTs) containing their authentication and user data.
Get the StarterApplication
To give you practical experience withnode serversecurity topics, we have developed a starter project. The starter application handles the styling and layout of your application using Bootstrap and a custom theme. To protect your application, you can concentrate on creatingExpressjscomponents.
To begin, clone the auth0-express-pug-sample repository's starting branch:
git clone -b startergit@github.com:auth0-blog/auth0-express-pug-sample.gitInstall Node.js dependencies:
npminstallCreate and populate .env file with:
DEV_PORT=4041PROD_PORT=4040
Run Node.jsserver by entering the command shown below:
npmrun devBy leveragingBrowsersync,Express servertemplates may emulate the live reload functionality of front-end frameworks like React and Angular.Sowhen source code is modified, such as when you alter a CSS rule or change a function's return value, the browser will immediately refresh.
The following command should be entered in a different command prompt to serve as yourexpress applicationuser interface:
npmrunuiConnect Express with Auth0
During the registration process, an Auth0 Tenant, which symbolizes the product or service to which you are adding authentication, is formed.
Auth0 directs you to the Dashboard after you log in. Click "Applications" on the left sidebar menu.
Next, select "Create Application" from the menu. A modal window with a form for naming the programme and selecting its kind appears.
For the process to be finished, select "Create" button. The page for your Auth0 application opens.
You don't need to createNode.jsloginforms if youutilizeAuth0. To lessen the administrative burden of implementing and managing authentication, Auth0 provides a Universal Login page.
How does the Universal Login function?
Every time an authentication request is made by a user in yourExpress application, they are redirected to Auth0. They will see a login screen from Auth0. Following their successful login, Auth0 will reroute them to yourExpress application. The URLs that Auth0 can send users to after authenticating them must be specified in your Auth0 Application Settingssothatthey areredirectedtotheplace safely.
Configure Express to use the Auth0 configuration variables.
To enable the connectionbridgeyou constructed to be used by your Express application, you need the Auth0 Domain and Client ID data from the Auth0 Application Settings page.
In your auth0-express-pug-sample project directory, open the .env file and make the following changes:
DEV PORT=4041
PROD PORT=4040
AUTH0 ISSUER BASE URL=https://<AUTH0 DOMAIN>/
AUTH0 CLIENT ID=
The domain from the "Settings" is represented by <AUTH0 DOMAIN> for the AUTH0_ISSUER_BASE_URL value.
Client ID can be found in the "Settings" as AUTH0_CLIENT_ID.
With the aid of these variables, your Express application can establish its legitimacy when communicating with the Auth0 authentication server.
Setup of the Auth0 and Express connections
You've finished configuring a login that your Express application can utilize. The final step is to continue adding components as you develop the basic project all throughNode.js tutorialin order to start theNode.js authenticationflow and manage it.
Joinour Full stack Development course to advance your software development skills.
Set Up Express OpenIDConnect
To connect the ExpressOpenIDConnect library with your Express application, you must adhere to these procedures.
Install Express OpenID Connect
Run the following:
npminstall express-openid-connectConfigure Express OpenID Connect
Open the .env file and edit them:
DEV_PORT=4041
PROD_PORT=4040
AUTH0_ISSUER_BASE_URL=<...>
AUTH0_CLIENT_ID=<...>
BASE_URL=http://localhost:4040
SESSION_SECRET=
To create an acceptable string for the session secret, use the following command:
node -e "console.log (crypto.randomBytes(32).toString('hex'))" - The output oftheaforementionedcommandshould be copied and pasted intothe value for SESSION SECRETin .env.
- You must restart the Node.js server to notice these updated environment variables. Find the terminal window where you previouslyexecutednpmrun dev, close it, and then run it once more.
User authentication is a method for keeping track of who is using your application and limiting their access. For instance, you can restrict access to some areas for users who are not logged in.
Authentication in Nodejs can be effectively managed using tools like Auth0. Users will be stopped and asked for their credentials by Auth0 if they attempt to enter a protected route from your application. Auth0 will admit them if it can confirm their identity and they have permission to enter. If not, Auth0 will redirect them to a route for a public application.
It's crucial to stress once more that the authentication procedure won't take place at the application layer. When a user visits the Auth0 Universal Login page from your Express application,Auth0apirequests their credentials and then sends them back to your application with the results of the Node.js authentication process.
The auth router is provided by the Express OpenID Connect library so that your application can attach authentication routes. Express OpenID Connect will handle the implementation of /login and /logout controllers for you.
Express-openid-connect must now be initialized, set up, and integrated with yourExpress authenticationapplication.
Open src/index.js and update the Required External Modules section to import auth:
//src/index.jsconstexpress=require('express');constpath=require('path');const{auth}=require('express-openid-connect');
Then, update the App Configuration section to initialize and use auth as an Express middleware function:
app.set('views',path.join(__dirname,'views'));app.set('view engine','pug');app.use(express.static(path.join(__dirname,'..','public')));app.use(auth({ issuerBaseURL:process.env.AUTH0_ISSUER_BASE_URL, baseURL:process.env.BASE_URL, clientID:process.env.AUTH0_CLIENT_ID, secret:process.env.SESSION_SECRET, authRequired:false, auth0Logout:true,}),);
The two new propertiesauthRequiredand auth0Logout are being added.
When you set thebooleanvalueauthRequiredto true, Express OpenID Connect is configured to demandauthenticationsfor all routes. You'll have a mixture of public and protected pathways for this project. This property is therefore set to false.
Anotherbooleanparameter called auth0Logout makes it possible to log out a user from an Auth0 session by enabling the Auth0 logout capability. There are normally three sessions layers toconsiderwhen adding logout functionality to an application:
- Identity Provider Session Layer
- Application Session Layer
- Auth0 Session Layer
One can configure theAuth0 authenticationapito log the user out from the application, from the Auth0 session, or from Google itself, for instance, when one of your users signed in using Google.
Add UserAuthentication in Node
For your users to initiate the authentication events of sign-in, sign-out, and registration, you must design UI components.
Anoidcnamespace is created by Express OpenID Connect in thereqobject of your application. The library keeps authentication in Node.js methods and information in this namespace, including a user object to contain user profile data and a login function to personalize the login process.
Create a Login Button
Establish a login button.src/components/ directory's pug file:
touchsrc/components/login-button.pugCreate amixininsrc/components/login-button.pugto serve as a representation of a login button component:
mixinlogin-button()button( class="btnbtn-primarybtn-block", onclick="window.location='/login'")Log In
Create a sign-up button
Create a /signup routecontroller to force users to land on a sign-up page rather than a login page.
Open thesrc/index.js file to get started. Find the section on Routes Definitions. Routes for each feature of yourExpressweb application are defined in several subsections under this section. Find the > Authentication subsection and make the following changes:
app.get('/signup',(req,res)=>{res.oidc.login({ authorizationParams:{ screen_hint:'signup', },});});
You develop a route controller for /sign-up that has access to theres.oidc.login() method. To modify the user login experience, this technique requires certainLoginOptions.
Here, you override the pre-configuredauthorizationParams, which Express OpenID Connect uses to direct users to Auth0 for login when redirecting them to a URL.
Depending on your use case, you can pass new values to modify what the Auth0authorizationserver returns. Just specify the screen hint=signup property as an authorization parameter in your /sign-up controller to include all to a sign-up form.
{authorizationParams:{ screen_hint:"signup",},}
Retrieving UserInformation
You can customise the Express application's user interface by using profile information that is kept in your Auth0 user database. This profile information is made available in thereq.oidc.userobject by thenode expressOpenID Connect library. The name, nickname, image, and email of the logged-in user are just a few of the user details that are accessible.
In the Routes Definitions > Profile section ofsrc/index.js, change the /profile route controller as follows:
app.get('/profile',(req,res)=>{res.render('profile',{ user:req.oidc.user,});});
Next, make the following changes to the /profile template found insrc/views/profile.pug:
extends../components/layoutblock contentifuser div div(class="row align-items-centerprofile-header") div(class="col-md-2 mb-3") img( class="rounded-circleimg-fluid profile-picture mb-3 mb-md-0" src=user.picture alt="Profile" ) div(class="col-md text-centertext-md-left") h2#{user.name} p(class="lead text-muted")#{user.email} div(class="row") pre(class="col-12 text-lightbg-dark p-4") |#{JSON.stringify(user, null, 2)}
You might consider protected user information to be rendered using the profile template. In addition, if no user is currently logged in, the user property is null. In either case, Auth0 should haveauthorizedthe user before this component renders.
ProtectingRoutes
You can use therequiresAuth() middleware function exposed by the Express OpenID Connect module to make users log in before they can access a certain route. Users who attempt to access the route using Express without being logged in will be redirected to the Auth0 Universal Login page.
Open src/index.js and update the Required External Modulesconstexpress=require('express');constpath=require('path');const{auth,requiresAuth}=require('express-openid-connect');Update the Routes Definitions > Profile subsection of src/index.js app.get('/profile',requiresAuth(),(req,res)=>{res.render('profile',{ user:req.oidc.user,});});
Now, when users access a protected route without being logged in, your Express application will reroute them to the login page. The user will be redirected to the page they were looking for before logging in by Auth0 after logging in.
You can now verify that access to /profile requires users to log in. Try to view the Profile page once again after logging out. If it succeeds, Express directs you to use Auth0 to log in.
Calling anAPI
When you utilize Auth0, you give a centralized service control over the authentication process. Youcouldlog users in and out of your Express application using Auth0. The secured resources from an external API, such as contacts, images, or purchase histories, can yetbe accessed by your application.
Auth0 can also be used to secure an API. You may integrate Auth0 with your backend platform via a variety of APIquickstarts.
By using Auth0 to secure your API, you also give control over the authorization procedure to a centralized service, ensuring that onlyauthorizedclient programmes can access secured resources on a user's behalf.
What is Authorization?
Allowing authenticated users access to resources involves authorizing them after determiningwhetherthey have system access permissions. You can also limit access rights by approving or rejectingparticular licensesfor authenticated users.
After the system confirms your identification,authorizationtakes place, giving you complete access to all the system's resources, including data, files, databases, money, places, and anything else.Your ability to access the system and how much access you have depends on this approval.
Authorization Methods
1. Role-based access controls (RBAC)
This type of authorization grantsusersaccess to data in accordance with their positions within the company. For instance, all employees inside a corporation might have access to personal data, such as pay, vacation time, but not be ableto edit it. However, HR may be granted access to all employee HR data and be given the authority to add, remove, and modify this information. By implementing Authentication in Nodejs, Organizations may make sure each user is active while limiting access to sensitive information by granting permissions based on each person's function.
2. Attribute-based access control (ABAC)
ABAC usesseveraldistinct attributes to grantusersauthorization at a finer level than RBAC. User attributes including the user's name, role, organization, ID, and security clearance may be included. Environmental factors including the time of access, the location of the data, and the level of organizational danger currently in effect may be included. Additionally, it might contain resource information like the resource owner, file name, and data sensitivity level. The aim of ABAC, which is a more intricate authorization process than RBAC, is to further restrict access. For instance, to preserve strict security boundaries, access can be restricted to specific geographic regions or times of the day rather than allowing all HR managers in a business to update employees' HR data.
Are you ready to become a Python master? Join ourPython Master Courseand unlock the secrets of this powerful programming language. From beginner to expert, we've got you covered. Don't miss out on this unique opportunity to level up your coding skills. Enroll now!
Conclusion
To identify your users, obtain user profiles, and manage the material that your users can access, you have developed user authentication for Node.js by securing routes and API resources.JWT, authentication, authorization, and CORS were all topics covered. Additionally, we discovered how to build a Node.js API that uses a JWT token for authentication.
You might not have the time to put the effort into creating your own authentication system. You may incorporate authentication into your app using a variety of already-existing libraries and services. Some of the most popular ones include Auth0 and Passport.js.
Now that you’ve learned a bit more about Authentication in Node.js, it's high time tolearn Node.jsin depth withKnowledgehHut’sNode.js certification and utilize this in realNode.jsprojects.
