I'm building an application using nodejs express + mongodb. I need to add authentication.
I've found these options:
Are my user credentials which I pass over the internet secure if I combine one of these 2 with ssl?
Well, both are secure but different (https is the way).
If you need server side sessions after autentication, go for passport is easy to set up and supports a ton of autentication ways.
In the case of JsonWebTokens, are great way to implement session-less autentication like interacting with a REST API.
This is a good read: If REST applications are supposed to be stateless, how do you manage sessions?
Yes, it will be secure if you do that, you may consider using two-factor authentication if you want to increase security.
json web tokens is just a standard used for token based authentication, while the passport framework is a tool that will help you to build your software in a more secure way. I'm not familiar with Passport Framework, but I believe that all strategies that it provides will use JWT.
TLS (or SSL) is a tunneling protocol to tunnel unsecure http protocol, which sends plain text data to a server. You may be interested in RFC1818 that has some information about using http with tls.
It's very important to tunnel http request when sending sensitive information. It will add to you app: 1) Server authentication 2) Integrity protection 3) Replay protection 4) Confidentiality
