0

I've followed this tutorial to the end and made a working sample.

But now, I'm trying to learn more about the authentication. For example, it all works well if you register and login. But, what if I delete that user from the database? In the UI, the user just keeps logged in, even though he doesn't exist...

Is there something I'm missing? Or simply I have to check in the database on every load?

Thanks!

Edit: This is my code

silentw
  • 4,835
  • 4
  • 25
  • 45

1 Answers1

0

In the tutorial you provided there's a section that states:

We'll be using localStorage for persisting data to the client. This gives us a much easier interface for persisting data across sessions without having to deal with parsing cookies or handling cookies across multiple domains. If a JWT token exists in localStorage, we can assume the user is logged in as long as the token isn't expired. To log a user out, simply remove the token from localStorage. Check out the localStorage documentation on MDN for a better understanding of localStorage.

If you delete a user directly from the database after you logged in with that same user, the authentication token is still present in your browser's local storage. However if you clean your browser's local storage (or just change the expiration date of the authentication token to some date in the past), you will see that if you access your app again, you won't be logged in and can't even login with that user since it was deleted from the database.

Regarding the database check, I believe the database is checked only once which is in the moment you login (i.e., to check if the user exists and the password is correct). After a successful login, the client side token is created and no more database check is needed regarding the user being logged in or not.

EDIT:

As the OP requested:

There are many ways of implementing a custom middleware. A basic one is as mentioned in How to intercept node.js express request:

var myFunc = function (req, res, next) {
    // Check if user is valid
        // If it is valid
        next();
        // If it is not valid
        res.status(401);
};
app.post('/my-route', myFunc, anotherFunc);

The order of middleware placement in express routing is important.

Once a request for /my-route is made, myFunc will be called. In that function you can check if the user is disabled or not. If it valid "next()" will tell express to move one to the next middleware which will be anotherFunc. If the user is not valid res.status(401); will make express skip the other other middlware and answer that request with status code 401.

Community
  • 1
  • 1
pgrodrigues
  • 2,083
  • 1
  • 24
  • 28
  • I know all of that. But, what I need is that, if I for some reason delete/disable an account on the database (or through an administration form) the user is disconnected automatically on the next load of something. – silentw Nov 27 '15 at 17:03
  • It will depend in the way your backend is structured. It won't happen instantly. It will happen when a user makes a new request and if in your backend you deliberately check the user making that request for it's account status or permissions. – pgrodrigues Nov 27 '15 at 17:12
  • (cont) If you don't check it, the user will keep using your app until the token's expiration date, until the user's local storage is cleaned or until he logs out. – pgrodrigues Nov 27 '15 at 17:19
  • I've added my code to the question. In my code, what is the best way to achieve what I want? Thanks! – silentw Nov 27 '15 at 17:22
  • Just add a custom middleware before the routes you want the user to be checked (in routes.js) and if that user is not valid just return status 401 or 403 depending on the fact of it being deleted or just disabled. – pgrodrigues Nov 27 '15 at 17:33
  • Can you provide me a simple example? I'm really a beginner at this, and I'm trying to learn some basics. I believe this is a useful stuff for me to learn. Thanks! – silentw Nov 27 '15 at 17:51
  • Sorry for only coming to this question back now. In your example, I would need to add this function in every single route right? Is there any way I can make it global? Or maybe using socket.io I can do something like what I want? Like, send a message when I disable an account? – silentw Dec 01 '15 at 12:09
  • You can use a custom middleware as `app.use(function (req, res, next) { //... });` before the router, instead of using the middleware function for each route. It is explained in the link provided in the answer. – pgrodrigues Dec 01 '15 at 15:08