stackoom
  简体   繁体   中英

Authentication for website and adding an expiry

 原文  2021-03-20 17:55:58       node.js/ authentication

Question

I'm changing the authentication to handle expiry on a website that is still under dev. (so have full control over changes at the moment). This is what I currently have (Pseudo code). I have included 4 routes and the db currently holds userToken (id of user), userSecret (changes when user logs out)

SignUpRoute.post('/signup', (req, res) => {
//Save userdetails, userToken, userSecret in DB
}


BidderRoute.post('/logout', userAuth, (req, res) => {
find account with matching email
update db.userSecret
response success
}

userRoute.post('/login', (req, res) => {
if req.body.email === db.email
if req.body.password === db.password(hashed)  
response (db.userToken, db.userToken)  //can this be a cookie?
    
ProductRoute.post('/data', userAuth, (req, res) => {
// some action here
}


userAuth middleware:
req.body.userSecret, req.body.userToken from body
fetch db collection where req.body.userToken === db.userToken
if userToken !== db.userToken && userSecret !==db.userSecret then error (401) - redirect to login
next()

I require to add an expiry to prevent the user from being logged in for more than 30mins, so figured I should add a expiry field in collection and alter /login route and middleware:

userRoute.post('/login', (req, res) => {
if req.body.email === db.email
if req.body.password === db.password(hashed)    
updated and save db.userSecret
updated and save db.expiryDate //30mins
response (db.userToken, db.userToken)  //can this be a cookie?

ProductRoute.post('/data', userAuth, (req, res) => {
// some action here
}
    
userAuth middleware:
req.body.userSecret, req.body.userToken from body
fetch db collection where req.body.userToken === db.userToken
if  now > db.expiryDate  then error (401) - redirect to login
if userToken !== db.userToken && userSecret !==db.userSecret then error (401) - redirect to login
if db.expiryDate < 2mins remaining then renew db.expiryDate (save in db)
next()

Q1. Before I implement I'm wondering if I've missed anything obvious in the steps.

Q2. Currently the front-end stores the userSecret and User token in local storage, and the server sends out a 200 response with userToken and userSecret (not a cookie) (see /login). If I want to hold this data in a cookie on the FE, should the above code be sending a cookie instead or does it not matter as the FE can save the response asa cookie?

UPDATE - If I was to use a cookie - Because cookie has an expiry, I think I can just use this rather than attempting to maintain expiry in db. Will the below work?

userRoute.post('/login', (req, res) => {
if req.body.email === db.email
if req.body.password === db.password(hashed)    
updated and save db.userSecret
 send cookie (with userSecret, userToken)  with 30mins expiry


ProductRoute.post('/data', userAuth, (req, res) => {

Refresh cookie here ?
}


userAuth middleware:
If cookie received //i.e. not expired
    else re-direct to /login
    
Parse userSecret, userToken from COOKIE
fetch db collection where req.body.userToken === db.userToken
if userToken !== db.userToken && userSecret !==db.userSecret then error (401) - redirect to login
if db.expiryDate < 2mins remaining then renew db.expiryDate (save in db)
next()

1 answers

solution1
 0 ACCPTED  2021-03-21 10:02:08

I think you can add jwt-token in the headers in order to authenticate logged-in users.

  1. Once the user logins in create a payload and create a jwt-token and add it to the response.

  2. On the subsequent request from the FE you can add the auth header with same token.

  3. On the backend, verify the token, if it is expired try to refresh it and follow the step first again.

There are several tutorials available online to help you create jwt-token. You can check here . Also, this article is really good to setup authentication on node.js.

Q1. Before I implement I'm wondering if I've missed anything obvious in the steps.

There are quite a few mistakes in it. You should not save token on DB's instead use JWT-token to check the expiry, you can also use sessions in node.js

Q2. Currently the front-end stores the userSecret and User token in local storage, and the server sends out a 200 response with userToken and userSecret (not a cookie) (see /login). If I want to hold this data in a cookie on the FE, should the above code be sending a cookie instead or does it not matter as the FE can save the response asa cookie?

To allow FE to save this response in the cookie, you need to create one at the backend. When you attach it to the response browser on the subsequent request will attach it automatically. Go through how cookies work .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Adding an authentication challange logic to my website Authentication expiry dates and single login at a time On Access Token Expiry - JWT Authentication - DocuSign From authentication to website - a mismatch error in twitter authentication with website in nodejs Android app authentication with existiing website Adding an archiving feature to my website Passport Facebook authentication for website users plus local authentication for admin Mongoose expiry User authentication for Node.js website
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM