Slide 1

Slide 1 text

Everything You Ever Wanted to Know About Authentication in Node.js @rdegges

Slide 2

Slide 2 text

I’m Randall Degges Developer Evangelist at Stormpath Python / Node / Go Hacker

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

● Build a simple Node.js site. ● Store user accounts in MongoDB. ● Register and login users. ● Safely store user passwords using bcrypt. ● Enforce authentication rules on pages. ● HTTP authentication.

Slide 5

Slide 5 text

https://github.com/rdegges/svcc-auth https://speakerdeck.com/rdegges

Slide 6

Slide 6 text

0x00 - Getting Set Up

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

Prep the App $ mkdir views $ touch app.js $ touch views/base.jade $ touch views/index.jade $ touch views/register.jade $ touch views/login.jade $ touch views/dashboard.jade

Slide 9

Slide 9 text

Install Dependencies $ npm install express $ npm install jade

Slide 10

Slide 10 text

Base Templates

Slide 11

Slide 11 text

block vars doctype html html head title SVCC Auth | #{title} body block body base.jade SVCC Auth |

Slide 12

Slide 12 text

index.jade extends base block vars - var title = 'Home' block body h1 SVCC Auth! p. Welcome to the SVCC Auth! home page. Please register or login to continue!

Slide 13

Slide 13 text

register.jade extends base block vars - var title = 'Register' block body h1 Create an Account form(method="post") span First Name: input(type="text", name="firstName", required=true) br span Last Name: input(type="text", name="lastName", required=true) br span Email: input(type="email", name="email", required=true) br span Password: input(type="password", name="password", required=true) br input(type="submit")

Slide 14

Slide 14 text

login.jade extends base block vars - var title = 'Login' block body h1 Log Into Your Account if error p ERROR: #{error} form(method="post") span Email: input(type="email", name="email", required=true) br span Password: input(type="password", name="password", required=true) br input(type="submit")

Slide 15

Slide 15 text

dashboard.jade extends base block vars - var title = 'Dashboard' block body h1 Dashboard p. Welcome to your dashboard! You are now logged in.

Slide 16

Slide 16 text

Base App

Slide 17

Slide 17 text

app.js var express = require('express'); var app = express(); app.set('view engine', 'jade'); app.get('/', function(req, res) { res.render('index.jade'); }); app.get('/register', function(req, res) { res.render('register.jade'); }); app.get('/login', function(req, res) { res.render('login.jade'); }); app.get('/dashboard', function(req, res) { res.render('dashboard.jade'); }); app.listen(3000);

Slide 18

Slide 18 text

Now… Run it! $ node app.js

Slide 19

Slide 19 text

0x01 - HTML

Slide 20

Slide 20 text

Forms! First Name: Last Name: Email: Password:

Slide 21

Slide 21 text

Form Data $ npm install body-parser // app.js var bodyParser = require('body-parser'); app.use(bodyParser.urlencoded({ extended: true })); app.post('/register', function(req, res) { res.json(req.body); });

Slide 22

Slide 22 text

0x02 - Databases

Slide 23

Slide 23 text

MongoDB! $ sudo mongod & $ mongo MongoDB shell version: 2.6.2 connecting to: test Server has startup warnings: 2014-10-11T17:12:22.963-0700 [initandlisten] 2014-10-11T17:12:22.963-0700 [initandlisten] ** WARNING: soft rlimits too low. Number of files is 256, should be at least 1000 >

Slide 24

Slide 24 text

Basics > use testdb; switched to db testdb > show collections; > db.users.insert({ email: '[email protected]', password: 'woot' }); WriteResult({ "nInserted" : 1 }) > db.users.find(); { "_id" : ObjectId("543a2c005fe787e049f1e3ea"), "email" : "[email protected]", "password" : "woot" } >

Slide 25

Slide 25 text

mongoose (ORM) $ npm install mongoose // app.js var mongoose = require('mongoose'); mongoose.connect('mongodb://localhost/svcc');

Slide 26

Slide 26 text

mongoose Models var Schema = mongoose.Schema; var ObjectId = Schema.ObjectId; var User = mongoose.model('User', new Schema({ id: ObjectId, firstName: String, lastName: String, email: { type: String, unique: true }, password: String, }));

Slide 27

Slide 27 text

Creating Users app.post('/register', function(req, res) { var user = new User({ firstName: req.body.firstName, lastName: req.body.lastName, email: req.body.email, password: req.body.password, }); user.save(function(err) { if (err) { var error = 'Something bad happened! Please try again.'; if (err.code === 11000) { error = 'That email is already taken, please try another.'; } res.render('register.jade', { error: error }); } else { res.redirect('/dashboard'); } }); });

Slide 28

Slide 28 text

Verifying > db.users.find(); { "_id" : ObjectId("543a2f00e20ba7d946688eab"), "firstName" : "Randall", "lastName" : "Degges", "email" : "r@rdegges. com", "password" : "woot!", "__v" : 0 } >

Slide 29

Slide 29 text

Logging in Users app.post('/login', function(req, res) { User.findOne({ email: req.body.email }, function(err, user) { if (!user) { res.render('login.jade', { error: "Incorrect email / password." }); } else { if (req.body.password === user.password) { res.redirect('/dashboard'); } else { res.render('login.jade', { error: "Incorrect email / password." }); } } }); });

Slide 30

Slide 30 text

Recap!

Slide 31

Slide 31 text

0x03 - Sessions

Slide 32

Slide 32 text

The Idea identity information server ● firstName ● lastName ● email ● etc. ● (not password) ● retrieve identity from session ● verify / update ● process request

Slide 33

Slide 33 text

Cookies! browser server cookies

Slide 34

Slide 34 text

Reading Cookies body { "User-Agent": "cURL/1.2.3", "Accept": "*/*", "Host": "localhost:3000", "Cookie": "[email protected];" }

Slide 35

Slide 35 text

Creating Cookies Set-Cookie: [email protected] body { "Set-Cookie": "[email protected]" }

Slide 36

Slide 36 text

client-sessions $ npm install client-sessions var session = require('client-sessions'); app.use(session({ cookieName: 'session', secret: 'some_random_string', duration: 30 * 60 * 1000, activeDuration: 5 * 60 * 1000, // optional }));

Slide 37

Slide 37 text

Using Sessions app.post('/login', function(req, res) { User.findOne({ email: req.body.email }, function(err, user) { if (!user) { res.render('login.jade', { error: "Incorrect email / password." }); } else { if (req.body.password === user.password) { req.session.user = user.email; res.redirect('/dashboard'); } else { res.render('login.jade', { error: "Incorrect email / password." }); } } }); });

Slide 38

Slide 38 text

No content

Slide 39

Slide 39 text

Improving /dashboard app.get('/dashboard', function(req, res) { if (req.session && req.session.user) { User.findOne({ email: req.session.user }, function(err, user) { if (!user) { req.session.reset(); res.redirect('/login'); } else { res.locals.user = user; res.render('dashboard.jade'); } }); } else { res.redirect('/login'); } });

Slide 40

Slide 40 text

Using Session Info extends base block vars - var title = 'Dashboard' block body h1 Dashboard p. Welcome to your dashboard! You are now logged in. h2 User Information p First Name: #{user.firstName} p Last Name: #{user.lastName} p Email: #{user.email}

Slide 41

Slide 41 text

0x04 - Storing Passwords

Slide 42

Slide 42 text

{ "_id" : ObjectId("543a2f00e20ba7d946688eab"), "firstName" : "Randall", "lastName" : "Degges", "email" : "[email protected]", "password" : "woot!", "__v" : 0 } Current User Data

Slide 43

Slide 43 text

Hashing! ● md5 ● sha256 ● bcrypt ● scrypt ● etc.

Slide 44

Slide 44 text

bcrypt (pseudo) var password = 'hi'; var hash = bcrypt(password); console.log(hash); // $2a$10$uS.pE0aS0NlsgbvLd6EruO5VDKllinIZLF3C84OYzWHFiyKYfZVXy

Slide 45

Slide 45 text

Improving /register $ npm install bcryptjs var bcrypt = require('bcryptjs'); app.post('/register', function(req, res) { var salt = bcrypt.genSaltSync(10); var hash = bcrypt.hashSync(req.body.password, salt); var user = new User({ firstName: req.body.firstName, lastName: req.body.lastName, email: req.body.email, password: hash, }); user.save(function(err) { if (err) { var error = 'Something bad happened! Please try again.'; if (err.code === 11000) { error = 'That email is already taken, please try another.'; } res.render('register.jade', { error: error }); } else { req.session.user = user.email; res.redirect('/dashboard'); } }); });

Slide 46

Slide 46 text

Improving /login app.post('/login', function(req, res) { User.findOne({ email: req.body.email }, function(err, user) { if (!user) { res.render('login.jade', { error: "Incorrect email / password." }); } else { if (bcrypt.compareSync(req.body.password, user.password)) { req.session.user = user.email; res.redirect('/dashboard'); } else { res.render('login.jade', { error: "Incorrect email / password." }); } } }); });

Slide 47

Slide 47 text

Improved User { "_id" : ObjectId("543a991f8fea0e494e4c0bb1"), "firstName" : "Randall", "lastName" : "Degges", "email" : "[email protected]", "password" : "$2a$10$uS.pE0aS0NlsgbvLd6EruO5VDKllinIZLF3C84OYzWHFiyKYfZVXy", "__v" : 0 }

Slide 48

Slide 48 text

0x05 - Middleware

Slide 49

Slide 49 text

app.use(function(req, res, next) { if (req.session && req.session.user) { models.User.findOne({ email: req.session.user }, function(err, user) { // if a user was found, make the user available if (user) { req.user = user; req.session.user = user.email; // update the session info res.locals.user = user; // make the user available to templates } next(); }); } else { next(); // if no session is available, do nothing } }); Smart User Middleware

Slide 50

Slide 50 text

function requireLogin(req, res, next) { // if this user isn’t logged in, redirect them to // the login page if (!req.user) { res.redirect('/login'); // if the user is logged in, let them pass! } else { next(); } }; app.get('/dashboard', requireLogin, function(req, res) { // ... }); Force Authentication

Slide 51

Slide 51 text

0x06 - CSRF

Slide 52

Slide 52 text

Let’s Say...

Slide 53

Slide 53 text

(cross site request forgery) Hey Randall, Check out this picture of my dog!

Slide 54

Slide 54 text

:(

Slide 55

Slide 55 text

CSRF Protection $ npm install csurf // app.js var csrf = require('csurf'); app.use(csrf()); app.get('/register', function(req, res) { res.render('register.jade', { csrfToken: req.csrfToken() }); }); app.get('/login', function(req, res) { res.render('login.jade', { csrfToken: req.csrfToken() }); }); // register.jade + login.jade form(method="post") input(type="hidden", name="_csrf", value=csrfToken)

Slide 56

Slide 56 text

0x06 - Security

Slide 57

Slide 57 text

ALWAYS USE SSL! user server secret

Slide 58

Slide 58 text

Securing Cookies app.use(session({ cookieName: 'session', secret: 'some_random_string', duration: 30 * 60 * 1000, activeDuration: 5 * 60 * 1000, httpOnly: true, // don't let JS code access cookies secure: true, // only set cookies over https ephemeral: true, // destroy cookies when the browser closes }));

Slide 59

Slide 59 text

0x06 - Other Options

Slide 60

Slide 60 text

passport.js ● open source ● supports many different types of login ● very minimalistic Pros ● requires work to integrate ● mixing multiple authentication types is problematic Cons

Slide 61

Slide 61 text

drywall ● open source ● ‘full website framework’ ● uses passport.js ● lots of prebuilt stuff! Pros ● restrictive ● forces you to use specific tools ● doesn’t support API auth (afaik) Cons

Slide 62

Slide 62 text

Stormpath ● free *and* paid versions ● supports both web and api auth ● works in many different languages ● pre-built authentication views ● handles security / storage for you Pros ● core product is closed source Cons

Slide 63

Slide 63 text

● User account storage / encryption. ● Authentication. ● Authorization. ● REST API management. ● Social login. End User Your Webserver Stormpath API Stormpath

Slide 64

Slide 64 text

express-stormpath $ npm install express-stormpath var express = require('express'); var stormpath = require('express-stormpath'); var app = express(); app.use(stormpath.init(app, { apiKeyId: 'xxx', apiKeySecret: 'xxx', application: 'https://api.stormpath.com/v1/applications/xxx', secretKey: 'some_long_random_string', })); app.listen(3000);

Slide 65

Slide 65 text

No content

Slide 66

Slide 66 text

Enabling Features app.use(stormpath.init(app, { apiKeyId: 'xxx', apiKeySecret: 'xxx', application: 'https://api.stormpath.com/v1/applications/xxx', secretKey: 'some_long_random_string', enableAccountVerification: true, // make users confirm their email enableForgotPassword: true, // enable secure password reset enableGoogleLogin: true, // enable google login }));

Slide 67

Slide 67 text

You’re awesome. @rdegges @gostormpath