3

I am using passport-local, passport-jwt module for authentication strategy in my application. I am trying to understand would I still need to use passport.serialize() and passport.deserialize() methods. As far as I understand these methods uses sessions to store user info. I suspect that purpose of using these methods is already fulfilled using JwtStrategy. Or I am completely wrong here ?

I tried looking over web but couldn't get much information there.

Here is my code for the JWT strategy

router.get('/current', passport.authenticate('jwt', {session: false}), (req, res) => {
  res.json({
    id: req.user.id,
    email: req.user.email,
    first_name: req.user.first_name,
    last_name: req.user.last_name,
  });
})

Please correct me if I am wrong about my assumption.

Roshan
  • 150
  • 16

2 Answers2

2

JWT strategy is used here.

passport.authenticate('jwt', {session: false})

This code is middleware which takes the token key from Authorization of request headers and then check the token key if correct and fires passport.use(new JwtStrategy(opts, (jwt_payload, done) method.

Then, your code ( I supposed just like this ) :

passport.serializeUser(function (user, done) {
    done(null, user);
});

passport.deserializeUser(function (user, done) {
    done(null, user);
});

// jwt
let opts = {
    jwtFromRequest: ExtractJwt.fromAuthHeaderWithScheme('jwt'),
    secretOrKey: "secret"
};

passport.use(new JwtStrategy(opts, (jwt_payload, done) => {

    UserRepository.get_user_by_id(jwt_payload.user.id, (err, user) => {
        if (err) {
            return done(err, false);
        }
        if (user) {
            return done(null, UserRepository.set_existing_user_for_token_key(user));
        } else {
            return done(null, false);
        }
    });
}));

Returns a user, then it serializes to json when you can use in router.get (or another method) function.

canmustu
  • 2,304
  • 4
  • 21
  • 34
  • Actually I want to understand more in terms of, what happens if I don't use `passport.serializeUser` and `passport.deserializeUser`. ? – Roshan Mar 23 '19 at 21:08
  • 1
    This could help you : https://stackoverflow.com/questions/27637609/understanding-passport-serialize-deserialize?rq=1 – canmustu Mar 23 '19 at 21:29
  • I have already gone through that post. And from that post only I could think that the `passport.serializeUser` method saves the user info in the session. Now let me break my question into 2 simple questions, - 1. `passport.serializeUser` and `passport.deserializeUser` are part of session based authentication process. Am I right here ? 2. `passport-jwt` can instead be used as an alternate authentication process (Token based process). correct me if I am wrong here as well. Thanks. – Roshan Mar 23 '19 at 21:42
  • Actually session has not to be used, it is optional. In my code, session property is off...... The middleware which you used in your router ( passport.authenticate(...) ) provides you to use user in your req variable. So you can get your user by coding in router req.user – canmustu Mar 23 '19 at 21:47
  • @Roshan, did you ever figure this out, trying to understand the same thing. – Patrick Weaver May 13 '20 at 02:03
  • I am also trying to figure this out. from my understanding, we can use either passport serializeUser/DeserializeUser if we using sessions OR we can use passport-JWT. ultimately, it depends if we want to use JWT or session. correct me if i'm wrong – Hendry Lim Oct 20 '20 at 12:17
0

If you're using JwtStrategy, as you already understood, you don't need session. So you can get get rid of passport.serializeUser and passport.deserializeUser.

Your assumptions are right, and I can say I use the same implementation on soma apps.

marco.marinangeli
  • 899
  • 14
  • 29