0

I want to create a login system, using Node JS and ExpressJS. The user types their credentials, then the server checks these to see if they are valid. If they are valid, the server will redirect the user the home page and send along data, including the user's credentials (for further use). This is RESTful.

const app = require("express")();
const bodyParser = require('body-parser');
app.get("/login", function(req, res)
{
    res.sendFile(__dirname + "/front-end/login.html");
});
app.post("/login",function(req, res)
{
    var username = req.body.username;
    var password = req.body.password;
    //returns whether the credentials work
    var credentialsPassed = checkCredentials(username,password);
    if(credentialsPassed)
    {
        //redirect to home-page and pass along the user's credentials for further use
    }
});

I already read How do I redirect in expressjs while passing some context?. The answer sends data in the url. However, I need to send the user's credentials, so it would be insecure to pass it in the URL. The other alternative is to use EJS (or something similar), but I would have to download a pretty big module just for this 1 task.

Is there any better way?

Jason C.
  • 11
  • 1
  • 3
  • 1
    If you're not passing data in the URL, then your choices are to put the data in a cookie or in a user session (which is keyed by a cookie). In either of those cases, you can then access the data when the next request arrives from that user (the request from the redirect). Putting the data in the user session is generally more secure since the session is kept on the server. – jfriend00 Sep 09 '19 at 03:43
  • You speak in other comments about not storing anything on the server and somehow think that's what you have to do to be pure REST. You simply can't have both. You either put everything needed for the request in the URL or you put some token in the URL that can be attached to some server-side data or you use cookies. Those are the ways to do this. There's nothing that isn't REST just because you login and then have a token in a cookie or in the URL that points to a user session on the server. – jfriend00 Sep 09 '19 at 03:47

1 Answers1

0

If you don't want the data to be passed in the URL you can add it to req.users or res.locals/req.locals.Definition: [req.locals vs. res.locals vs. res.data vs. req.data vs. app.locals in Express middleware

Also in the link you passed they said you could save that data in req.session maybe that is the best way to solve your problem

Axel Candia
  • 26
  • 2
  • I looked into these. It appears these store temporary information onto the server so that when a new connection comes, it can use the info that was just stored. This is good, but I want a REST api, which means each request cannot make use of things on the server. – Jason C. Sep 09 '19 at 01:34
  • Ok if you want to share user information, have you tried using json web tokens? Passport could simplify a lot of your process: https://medium.com/front-end-weekly/learn-using-jwt-with-passport-authentication-9761539c4314 – Axel Candia Sep 09 '19 at 01:41