Login Authentication with Express and Passport
25 February 2025
Overview:
I am creating an application and decided to forgo JSON Web Tokens as a means of authenticating client requests. Token authentication is only necessary for larger applications but my application requires only one central database. Session-Based Authentication uses a session id to track ongoing user sessions with our server. Session objects saved in our session database will contain information about each session. HTTP Cookies are useful because cookies can send session data between a client and server.
Implementation
We will discuss the implementation using a tech stack consisting of dependencies:
- Node.js: Javascript Framework
- Express: Node Web-Framework
- Express-Session: Session middleware to create cookies and store sessions
- MongoDB: Storage for session table
- Connect-Mongo: Save and remove sessions
- Passport: Express-Session compatible authentication middleware
1. First let's create an express server in the server.js file:
const app = express(); app.use(express.json()); // Adapt to JSON payload
2. Now configure the session using express-session:
app.use(session({
secret: process.env.SESSION_SECRET,
resave: false,
saveUninitialized: false,
store: MongoStore.create({
mongoUrl: process.env.MONGO_URI,
collectionName: 'sessions'
}),
cookie: { // Set cookie
maxAge: 1000 * 60 * 60 * 24, // 24 hours
secure: process.env.NODE_ENV === 'production',
sameSite: 'lax'
}
}));
3. Introducing the Passport library. Let's initialize:
app.use(passport.initialize()); app.use(passport.session());
Summary:
With the above server code, a user can log into the system and create a new session. The Passport library can easily integrate and configure Google/Apple/Facebook SSO, you will have to use more Passport dependencies for this, which you can find in their documentation.
Passport
I would like to demonstrate more useful use cases with Passport. These use cases include extensive middleware functions and improved session management.
The below code demonstrates how to store user data to the session:
const router = express.Router();
router.post('/create-session', async (req, res) => {
const { isLoggedIn } = req.body;
try {
if (isLoggedIn) {
req.login(user, (err) => {
if (err) {
return res.status(500).json({
success: false,
error: 'Failed to create a session.'
});
}
res.json({ success: true });
});
} else {
res.status(400).json({
success: false,
error: 'User is not logged in.'
});
}
} catch (error) {
res.status(500).json({
success: false,
error: 'A server error has occurred.'
});
}
});
Passport's login() saves user data to req.session namespace with function, serializeUser (see below). Passport then modifies namespace, req.session.passport, which triggers express-session to save the newly modified req.session.
In short,
- Express-session starts the session.
- Passport updates the session with serialized user data
Useful code samples:
Determine what user data you would like to save to the session here:
import User from '/models/User.js';
import passport from 'passport';
passport.serializeUser((user, done) => {
done(null, {
id: user.id,
lastLogin: user.lastLoginAt,
authType: user.authType
});
});
passport.deserializeUser(async (id, done) => {
try {
const user = await User.findById(id);
done(null, user); // Makes user available as req.user
} catch (error) {
done(error, null);
}
});
You can also verify whether a user is authenticated:
app.get('/', (req, res) => {
if (req.isAuthenticated()) {
res.sendFile(path.join(__dirname, 'public/views/index.html'));
} else {
res.sendFile(path.join(__dirname, 'public/views/auth/index.html'));
}
});
thanks for your input @kitsVA