How to implement server side sessions in node.js with express for an android app?

Question

Hello all i am making an android app in whiich i have multiple account login at a time now my question is that i for multiple logins i should use sessions to verify every account user that is logged in. Now i am using express on the server side i have read a lot of documentation on storing sessions in node.js

1. Express-session (Though it is only good for development but not for production but not for my app)
2. Cookie-session
3. connect-Redis
4. connect-mongo

I have also heard about json web tokens where i can generate unique tokens and then i can pass the tokens to the client using res.json({user_id:"user1", token: "generated_token here"}) I have also heard about passport but dont know how it is going to do this also as in passport i use express-session by default will it be good for production or not ??

Now my first question is i have read all of there docs and nowhere it is mentioned where i am creating unique tokens for every user that is signing up. Second question as i am using my server for android app there will be no use of cookie i will be sending user token as in parameter req.body.token now how to cmpare this with current user_id.

Actually i dont get the flow of control i mean how everything is going on in session in node.js. Also what is this secret is this thing generating unique tokens or what. Also i mean about 100000 of users are registered for my app now please tell me accordingly which way should i use for my app.

I have asked this question previously but there i did not mention that as i am not making a website how to do this(As in my case there will be no use of tokens)

I know this question i am asking is very vague but please bear with me i just want to understand how sessions are used in node.js

Thanks Anways

Answer 1

I'll try to answer this, but it is vague (as you pointed out). I'm going to make an assumption that your Android app is a native Android app and is going to be connecting to some sort of NodeJS backend in the cloud that is based on ExpressJS. If that's not the case, please clarify your thoughts in an update to your question.

The best idea for this specific scenario is to look to the cloud provide. Azure App Service Mobile Apps, for example, allows you to implement authentication - it eventually returns a JSON Web Token ( http://jwt.io ) to authenticate each request.

If you don't want to be beholden to a cloud provider, but want to run it yourself, you are going to have to implement the token generation and checking yourself. This generally follows the form:

• Set up a WebAPI endpoint (maybe /signin) which takes whatever token the identity provider gives you, verifies the information and returns a JWT - there is an NPM module (jsonwebtoken) for producing the JWT. Ensure the JWT includes the identity of your user. I tend to use email address for the identity.
• Your Android application will do a WebAPI request to your backend with an Authorization header, the value of which is "Bearer "
• Your NodeJS API will use JWT authorization to validate the JWT and extract the user identity so you can use it in your API logic.

The important thing to note in this specific scenario is that your backend code is implementing a WebAPI - there are no cookies nor sessions in the API. The only thing that is linking the user from the client code to the backend code is the JWT.

As a short piece of code, here is how you verify a JWT:

var express = require('express');
var app = express();
var jwt = require('express-jwt');

var jwtCheck = jwt({
  secret: new Buffer('your-jwt-secret', 'base64'),
  audience: 'your-jwt-audience'
});

app.get('/api/protected', jwtCheck, (req, res) => {
// Your code here
});

app.listen(process.env.PORT || 3000);