1

So this is my structure:

  1. HTML form sends authentication to nodejs.
  2. Authenticate using passportjs > res.send the userid with jwt-simple (json web token).
  3. The received info is saved in $localStorage.user. I use that info in any of the controllers needed and include it and send my post/get requests to nodejs.
  4. I decode the info in nodejs and query the DB.

Is this safe? Is this how it works in real world?

Many thanks.

Somename
  • 3,376
  • 16
  • 42
  • 84
  • Possible duplicate of [Where to store JWT in browser? How to protect against CSRF?](http://stackoverflow.com/questions/27067251/where-to-store-jwt-in-browser-how-to-protect-against-csrf) – pedrofb Mar 21 '17 at 10:22
  • 1
    As long as you have an encryption and decryption module(in your case you have used jwt-simple) for login mechanism, you are safe with your requests. – sudheeshcm Mar 21 '17 at 13:09

1 Answers1

1

@Somename: The workflow which you have mentioned is slightly correct. The ideal way to get passport authentication done is,

  1. User log's in entering his username and passport.
  2. Send a post request with these form data.
  3. Authenticate the credentials using Passport. Using the passport.authenticate will invoke the serializeUser and get you the valid user if it exists. Else we return a login error response.
  4. A Successful login will automatically create a session in back end, save it in the sessionStorage and adds it with the response.
  5. This cookie will be saved automatically into browser's local storage once the response is fetched at client side.
  6. Every time we send a subsequent API request we need to include this cookie in the req headers.
  7. This cookie should be validated each time in back end. passport.authorize will again make use of the cookie and check if the session is valid.

  8. Logout session once the User logs out.

    Hope I've made things clear for you.

sudheeshcm
  • 3,310
  • 4
  • 14
  • 21
  • So if somebody edits the cookie and sends it to the server, passportjs will not accept it as its not the original one right? – Somename Mar 21 '17 at 19:03
  • A cookie created from the backend cannot be edited from the client. Moreover Cookie created will be having details like created time, expiry date time etc. Backend cookie management will be automatically handled by Passport.js. – sudheeshcm Mar 22 '17 at 05:09