网站身份验证并添加到期时间

Question

I'm changing the authentication to handle expiry on a website that is still under dev. (so have full control over changes at the moment). This is what I currently have (Pseudo code). I have included 4 routes and the db currently holds userToken (id of user), userSecret (changes when user logs out)

SignUpRoute.post('/signup', (req, res) => {
//Save userdetails, userToken, userSecret in DB
}


BidderRoute.post('/logout', userAuth, (req, res) => {
find account with matching email
update db.userSecret
response success
}

userRoute.post('/login', (req, res) => {
if req.body.email === db.email
if req.body.password === db.password(hashed)  
response (db.userToken, db.userToken)  //can this be a cookie?
    
ProductRoute.post('/data', userAuth, (req, res) => {
// some action here
}


userAuth middleware:
req.body.userSecret, req.body.userToken from body
fetch db collection where req.body.userToken === db.userToken
if userToken !== db.userToken && userSecret !==db.userSecret then error (401) - redirect to login
next()

I require to add an expiry to prevent the user from being logged in for more than 30mins, so figured I should add a expiry field in collection and alter /login route and middleware:

userRoute.post('/login', (req, res) => {
if req.body.email === db.email
if req.body.password === db.password(hashed)    
updated and save db.userSecret
updated and save db.expiryDate //30mins
response (db.userToken, db.userToken)  //can this be a cookie?

ProductRoute.post('/data', userAuth, (req, res) => {
// some action here
}
    
userAuth middleware:
req.body.userSecret, req.body.userToken from body
fetch db collection where req.body.userToken === db.userToken
if  now > db.expiryDate  then error (401) - redirect to login
if userToken !== db.userToken && userSecret !==db.userSecret then error (401) - redirect to login
if db.expiryDate < 2mins remaining then renew db.expiryDate (save in db)
next()

Q1. Before I implement I'm wondering if I've missed anything obvious in the steps.

Q2. Currently the front-end stores the userSecret and User token in local storage, and the server sends out a 200 response with userToken and userSecret (not a cookie) (see /login). If I want to hold this data in a cookie on the FE, should the above code be sending a cookie instead or does it not matter as the FE can save the response asa cookie?

UPDATE - If I was to use a cookie - Because cookie has an expiry, I think I can just use this rather than attempting to maintain expiry in db. Will the below work?

userRoute.post('/login', (req, res) => {
if req.body.email === db.email
if req.body.password === db.password(hashed)    
updated and save db.userSecret
 send cookie (with userSecret, userToken)  with 30mins expiry


ProductRoute.post('/data', userAuth, (req, res) => {

Refresh cookie here ?
}


userAuth middleware:
If cookie received //i.e. not expired
    else re-direct to /login
    
Parse userSecret, userToken from COOKIE
fetch db collection where req.body.userToken === db.userToken
if userToken !== db.userToken && userSecret !==db.userSecret then error (401) - redirect to login
if db.expiryDate < 2mins remaining then renew db.expiryDate (save in db)
next()

Answer 1

I think you can add jwt-token in the headers in order to authenticate logged-in users.

1. Once the user logins in create a payload and create a jwt-token and add it to the response.

2. On the subsequent request from the FE you can add the auth header with same token.

3. On the backend, verify the token, if it is expired try to refresh it and follow the step first again.

There are several tutorials available online to help you create jwt-token. You can check here . Also, this article is really good to setup authentication on node.js.

Q1. Before I implement I'm wondering if I've missed anything obvious in the steps.

There are quite a few mistakes in it. You should not save token on DB's instead use JWT-token to check the expiry, you can also use sessions in node.js

Q2. Currently the front-end stores the userSecret and User token in local storage, and the server sends out a 200 response with userToken and userSecret (not a cookie) (see /login). If I want to hold this data in a cookie on the FE, should the above code be sending a cookie instead or does it not matter as the FE can save the response asa cookie?

To allow FE to save this response in the cookie, you need to create one at the backend. When you attach it to the response browser on the subsequent request will attach it automatically. Go through how cookies work .