2

What's the best way to authenticate a user with Mongoose and ExpreeJS.

I'm using mongoose 3.x and it looks like this package isn't being updated anymore: https://github.com/bnoguchi/mongoose-auth

Ideally I could authenticate user with twitter and facebook too.

chovy
  • 72,281
  • 52
  • 227
  • 295

3 Answers3

10

I always prefer not to use a plugin or module for every problem. Using just mongoose you could do it like this:

Have a db.js for your mongoDB configuration

var mongoose = require('mongoose');
mongoose.connect("mongodb://...");
var userSchema = new mongoose.Schema({
  username: String,
  salt: String,
  hash: String
});
exports.User = mongoose.model("user", userSchema);

Use TJ's pass.js file to hash passwords. It uses crypto.pbkdf2 for encryption.

Create a user by hand or use a form to allow self registration:

var db = require('./db');
var pwd = require('./pwd');
var user = new db.User();
user.username = "Admin";
pwd.hash("adminPassword", function(err, salt, hash) {
  if (err) {
    console.log(err);
  }
  user.salt = salt;
  user.hash = hash;
  user.save(function(err) {
    if (err) {
      console.log(err);
    } else {
      console.log("user saved");
    }
  });
});

Now you should have a user with username, encrypted password and hash in your db. To check on login use a middleware function:

function authenticate(name, pass, fn) {
  db.User.findOne ({username: name}, function(err, user) {
    if (!user) return fn(new Error('cannot find user'));
    hash(pass, user.salt, function(err, hash){
      if (err) return fn(err);
      if (hash == user.hash) return fn(null, user);
      fn(new Error('invalid password'));
    })
  })
}

app.post('/login', function(req, res){
  authenticate(req.body.username, req.body.password, function(err, user){
    if (user) {
      req.session.regenerate(function(){
        req.session.user = user;
        res.redirect('back');
      });
    } else {
      res.redirect('login');
    }
  });
});

// middleware
function restrict(req, res, next) {
  if (req.session.user) {
    next();
  } else {
    req.session.error = 'Access denied!';
    res.redirect('/login');
  }
}

// route with restrict middleware
app.get('/restricted', restrict, function(req, res){
  res.send('Wahoo! restricted area');
});

Most of the code is taken from the auth example and I added the stuff for mongoose. Hope this helps!

zemirco
  • 16,171
  • 8
  • 62
  • 96
3

I used this example when learning how to do this with MongoDB and Node:

https://github.com/braitsch/node-login

I think it is a really good isolated example of doing user authentication yourself. It uses bcrypt to hash and salt user passwords. and if you look inside AccountManager you can see how it works with the Mongo database.

However, if you wish to authenticate using other strategies I suggest you check out Passport.js. I haven't had a chance to use it, but I think it looks pretty well developed and simple enough. Perhaps you can update this page with your experience with it.

Cory Gross
  • 36,833
  • 17
  • 68
  • 80
  • thanks. i was looking at Passport, but I don't think it's flexible enough, I couldn't see a way to customize how users are authenticated. I will peak through node-login code, and cringe at the jade :) – chovy Sep 23 '12 at 06:04
  • I cringed at the Jade as well. I am an [EJS](embeddedjs.com) guy myself. Regardless of what templating (if any) you use, you should be able to use node-login as a guide. – Cory Gross Sep 23 '13 at 15:04
0

Everyauth is another option, especially if you're looking for lots of flexibility and support for authenticating via third parties like twitter and facebook.

See this post from the author in another SO question for a good overview of its features and benefits.

Community
  • 1
  • 1
JohnnyHK
  • 305,182
  • 66
  • 621
  • 471