This demo is great, but what about using JWT authentication?

Question

This demo is great, but what about using JWT authentication?

sunkant opened this issue 8 years ago · comments

This demo is great and help us a lot.

As now JWT ( JSON Web Token ) becomes an important way of authentication. What bout adding JWT authentication to this demo? Or we use JWT authentication instead of traditional session-cookie way.

Let's make this demo more powerful. : )

Garrett Vance · Answer 1 · Mon Jul 18 2016 23:44:11 GMT+0800 (China Standard Time)

I believe it is generally accepted to mount a middleware function in front of your routes that require authentication and and perform your decoding within it.

Lu Qi · Answer 2 · Wed Jul 20 2016 15:21:40 GMT+0800 (China Standard Time)

Hi @gvance,
Thanks, and I plan to do this. I plan to store the JWT in the cookie, and decode the JWT with a global JWT verifying middleware.

In this case, I find I do not need app.use(passport.session()); anymore, for I now record the User information in the JWT ( which is manually stored in the cookie by my application ).

With this global JWT verifying middleware, I also reduce the times the application need to access the Database, for we do not need to serializeUser and deserializeUser ( Load User by _id from the Database) everytime a req comes in. We just need to decode the JWT in the cookie, without visiting the Database.

Is this the right thing to do if I want to use JWT authentication? Thank you.

Garrett Vance · Answer 3 · Sun Jul 24 2016 01:21:10 GMT+0800 (China Standard Time)

@Lucas-Qi
I would think of jwt as a different entity than a cookie. The nice thing about jwts is that they don't need to be a cookie but can still be passed to your API via a request header.

In this case, I find I do not need app.use(passport.session()); anymore, for I now record the User information in the JWT ( which is manually stored in the cookie by my application ).

This is correct.

We just need to decode the JWT in the cookie, without visiting the Database.

This is correct but upon validating the token I personally like to retrieve the validated user's document and use that for the life of the request (appending it to the request object itself), I believe you can apply that logic when you construct your passport strategy. The reason I retrieve an instance of the user and not just use the fields of the jwt is because it can be used to provide an extra layer of validation, ensuring that the user exists and if you have any other authorization checks (eg: admin or not, active or not, etc) you can easily perform them if you have access to the user.

Lu Qi · Answer 4 · Sun Jul 24 2016 10:58:34 GMT+0800 (China Standard Time)

Hi @gvance,
Very clear and thank you! Thank you for sharing! Retrieving from database can indeed let us have more information about the user.

Pari · Answer 5 · Sat Sep 10 2016 01:29:50 GMT+0800 (China Standard Time)

So did anyone added JWT Authentication?

juanda · Answer 6 · Fri Sep 30 2016 20:23:23 GMT+0800 (China Standard Time)

@parialegend Just working on it at the moment. I'm also adding user account verification.