Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

express passportjs confusion

Posted on 2017-08-10
5
Low Priority
?
83 Views
Last Modified: 2017-08-13
Hello All,

I am reading a book called express.js Blueprints.  I am trying to wrap my mind around understanding authentication using passport.  serializing and deserializing is not registering to me.  I have just started learning node and express js so that's a big reason why.

Here's a code from the book on setting up passport.  Starting with line 5, can someone please break down what's happening?  Where is the "user" parameter coming from in the serializeUser function?  Where did "user.id" come from?

var passport = require('passport');
var LocalStrategy = require('passport-local').Strategy;
var User = require('mongoose').model('User');

passport.serializeUser(function(user, done) {
done(null, user.id);
});
passport.deserializeUser(function(id, done) {
User.findById(id, done);
});

passport.use(new LocalStrategy(function(email, password, done) {
User.findOne({
email: email
}, function(err, user) {
if (err) return done(err);
if (!user) {
return authFail(done);
}
if (!user.validPassword(password)) {
return authFail(done);
}
return done(null, user);
});
}));

Open in new window

0
Comment
Question by:Isaac
  • 3
  • 2
5 Comments
 
LVL 5

Author Comment

by:Isaac
ID: 42250410
I am even looking at the code on passport.js site 'Configure' section.
How does the username and password get passed to the function?

var passport = require('passport')
  , LocalStrategy = require('passport-local').Strategy;

passport.use(new LocalStrategy(
  function(username, password, done) {
    User.findOne({ username: username }, function (err, user) {
      if (err) { return done(err); }
      if (!user) {
        return done(null, false, { message: 'Incorrect username.' });
      }
      if (!user.validPassword(password)) {
        return done(null, false, { message: 'Incorrect password.' });
      }
      return done(null, user);
    });
  }
));

Open in new window

0
 
LVL 60

Expert Comment

by:Julian Hansen
ID: 42250594
In answer to your first question

The serialize and deserialize functions are used to save user data to passport and retrieve it again. When you login the user object (details associated with your user) are only available at authentication time. That means if you want to get user info relating to the user account after login you need to save those values in the session (or query them each time which would require you save at least a unique ID linked to the user).
The serialize method is where you tell passport what data you want it to save in the session relating to the user. The deserialize function is where you ask passport to give that data back to you.

It is explained in detail in the docs here http://passportjs.org/docs#sessions

With reference to your second question - the username and password is handled differently depending on the strategy you use. In the case of one of the in-built strategies passport handles that for you. In the case of a custom strategy you setup a form with username and password fields and then create a route that sends this to passport.

You can read more about this here http://passportjs.org/docs#configuration
0
 
LVL 5

Author Comment

by:Isaac
ID: 42250971
Where does the 'user.id' come from?  

passport.serializeUser(function(user, done) {
done(null, user.id);
});

Open in new window

Is it checking the database?  I don't have a 'user' field in my mongo db.
I'm trying to use 'local-strategy' and 'passport-local-mongoose'.
0
 
LVL 5

Author Comment

by:Isaac
ID: 42250983
>>When you login the user object (details associated with your user) are only available at authentication time.

Is the user object created when they try to sign into the database?
0
 
LVL 60

Accepted Solution

by:
Julian Hansen earned 1000 total points
ID: 42251019
Where does the 'user.id' come from?  
From your user object
Is the user object created when they try to sign into the database?
No they don't try sign into the database - you write the code to do that and populate your user object with the data you retrieve.

Going from the beginning
They provide different "strategies" for authentication. The in built ones will allow you to authorize with Google / Facebook / GitHub etc. With these inbuilt functions they handle the authentication for you.

If you have your own database then you have to create your own local (custom) strategy. In this scenario you get your own user object - in the source code above refer line 3

var User = require('mongoose').model('User');

Open in new window


Then on line 4 of your second post - you create a LocalStrategy
passport.use(new LocalStrategy(

Open in new window

The function takes a username, password and a done callback.
You use the User object you created in line 3 to find the user based on the username / password. If success you tell passport it was successful if fail you tell passport it failed through the done() callback.

So
Get user object
Passport accepts form submission and through your LocalStrategy setup calls your callback with the name and password it got from the form along with a callback (done) that you call when the user is authenticated
In addition passport creates a serialize and deserialize interface for you to save and restore your user object from the session.

When a user hits your site - if a session is in progress then passport will deserialize your user object for you so that it is available to use in the session.
1

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Your data is at risk. Probably more today that at any other time in history. There are simply more people with more access to the Web with bad intentions.
In this blog post, we’ll look at how ClickHouse performs in a general analytical workload using the star schema benchmark test.
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question