JWT-auth-demo
jsonwebtoken
passport
passport-local
passport-jwt
bcrypt
csurf
mongoose
express-vadliator
Why JWT
No sessions (stateless)
Check the database only once upon login
Use httpOnly & secure cookie to store JWT token
Front-End Frameworks
TIL
router.param
middleware for handling req.params
router . param ( 'id' , ( req , res , next , id ) => {
// ...
} ) ;
passport.js custom name
module . exports = ( ) => {
passport . use (
'name' ,
new LocalStrategy (
// ...
)
) ;
} ;
passport . authenticate ( 'name' , ( authError , user , info ) => {
// ...
} )
csurf
app . use (
csurf ( {
cookie : {
key : '_csrf' ,
httpOnly : true ,
secure : prod
}
} )
) ;
router . get ( '/' , ( req , res ) => {
res . render ( 'main' , {
csrfToken : req . csrfToken ( )
} ) ;
} ) ;
input( type ='hidden' name ='_csrf' value =csrfToken)
express-validator
const { check, sanitizeBody } = require ( 'express-validator' ) ;
router . post (
'/signup' ,
[
check ( 'email' )
. not ( )
. isEmpty ( )
. isEmail ( )
. normalizeEmail ( )
. withMessage ( 'Email must be valid' ) ,
check ( 'password' )
. not ( )
. isEmpty ( )
. isLength ( { min : 3 } )
. withMessage ( 'Password must have more than 3 characters' ) ,
] ,
sanitizeBody ( '*' )
. escape ( )
. blacklist ( '${}' ) ,
authMiddleware . isNotLoggedIn ,
authController . postSignup
) ;
Cache-Control
app . use ( express . static ( path . join ( __dirname , 'public' ) , { maxAge : 31557600 } ) ) ;
PM2
AWS Lightsail - Bitnami
Built-in Apache proxy server
# /opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf
ProxyPass / http://127.0.0.1:3000
ProxyPassReverse / http://127.0.0.1:3000
sudo /opt/bitnami/ctlscript.sh restart apache
Redirect HTTP to HTTPS in Apache
# /opt/bitnami/apache2/conf/bitnami/bitnami.conf
<VirtualHost _default_:80>
DocumentRoot "/opt/bitnami/apache2/htdocs"
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} !^(localhost|127.0.0.1)
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
...
</VirtualHost>