50

I am not familiar with user authentication in Node.js, now I am trying to create a website with a login system. I have managed to make it work using the code snippets from the website, but I don't really understand why we need the passport.js as a middleware to do the authentication.

Registration:

Let's take passport-local as an example, when we are using the passport middleware, we basically is trying to create a new document in the database, then can we do it without passport, such as using the MongoClient directly, with checkings of duplicates, and store the password after encryption.

Login:

We can simply check the user's email or username against our database, and then check the password after email or username is matched. This, as well, can be done without passport. After user identity has been confirmed we can use the express-session to store the session in the cookie for login persistence.

A video about the process that I described above can be found here.

I understand that there must be some very important functionality that I neglect, but after browsing many web resources, including stackoverflow, youtube, passport.js's docs and many others, I still didn't understand what does passport.js do and why we need it.

Apologies in advance if the question seems silly.

Leonard Ge
  • 829
  • 2
  • 7
  • 16
  • 10
    I am going to guess that this will fit into the category of "No one writes their own code anymore" and "Everything is done with someone else's library and framework". Or possibly, "No one knows how to code anymore" but I apologize for an opinionated comment that may have a foundation of truth. – Rob Aug 01 '17 at 02:48
  • 4
    We don't *need* anything. Yes, you can easily do all this by yourself. Yes, we don't need to use libraries. But apparently some people found passport.js to be *useful*, having to do even less by themselves and not reinvent the wheel, while fitting nicely into a middleware abstraction. – Bergi Aug 01 '17 at 03:16
  • 2
    Often seemingly-pointless libraries like this exist simply because it's _easier_. Take [js-cookie](https://github.com/js-cookie/js-cookie) for example; it's not _necessary_ by any stretch of the imagination. It's also easy to find the information to handle cookies yourself. But it _is_ a lot easier to build off someone else's work. Why reinvent the wheel? – Clonkex Aug 01 '17 at 03:18

2 Answers2

32

To me it's unnecessary.

It's not saving me any work. I have to write the configuration, the callback, and the user schema. To me, it's just easier for me to just write a middleware for that.

And I don't see there is any security enforcement I am getting cuz I am writing my own verify callback anyway.

So, I don't see any reason that I should use it.

Jason Ching
  • 1,991
  • 1
  • 19
  • 23
  • 22
    If you're just using the local strategy, yeah, no point. But when you have requirements to auth with google, fb, twitter, local, and maybe some other sites logins, it ends up being a lot of code written for a task that has been done many times before. This is the purpose of passport. – jemiloii Feb 12 '20 at 18:18
21

Passport is a middleware for express.js. It supports various login types, Basic, Token, Local (username, password), OAuth, OAuth2, etc. We can combine these to allow users to authenticate by signing in with Google, FB, or whatever service with very minimal amount of code. We can also use this to combine external auth services so users can choose to login with one of the selected Strategies, e.g. Google, Twitter. It's much quicker to use passport for authentication than to build one yourself from scratch. This is why we use passport. You don't need passport, it just makes developing quicker. Read more from their website => https://www.passportjs.org/

Spikatrix
  • 20,225
  • 7
  • 37
  • 83
jemiloii
  • 24,594
  • 7
  • 54
  • 83