1

Just have some general questions about the level of security one can expect when using passport for an App's Authentication;

I am currently in the process of designing my first App using a MongoDB, Express, React and Node.js stack. Without having much prior knowledge about cyber security I have done quite a bit of research about authentication and what type of attacks can occur on my site. I have opted to use a cookie-based authentication system with the passport.js npm package and I have designed my /login route to require that the user's password and username first pass a passport.authenticate('local', ....) middleware setup before a session and cookie are created.

In order to persist the current user in my react app, I have a function which requests the server to provide it with the currently active passport session if there is one - and this seems to work as it will not maintain a login state if the user deletes the session cookie from their browser.

I am a bit skeptical of passport and I'm curious to know how easily it could be breached by someone who has a higher understanding of how it works, so the things I am wondering are several:

  1. Is this type of authentication setup secure?

  2. Are there any additional requirements that one must implement in order for passport to be a legitimate method of authentication for an App?

  3. Is using passport to authenticate users considered to be bad practice? Would showcasing an app that authenticates users by using an npm package look bad if I were to showcase this application to a potential employer?

I can share code if necessary to better illustrate my code setup, although I would prefer not to if at all possible. Any advice would be much appreciated, thanks!

TLDR: Is passport.js a secure method to authenticate users? Is using passport.js for this bad practice?

Breadman
  • 11
  • 2
  • 1. Yes, but I can't say for 100% sure what you've done is correct. Cookies are a valid means of session authentication handling. Passport is just a higher level interface to that. 2. No 3. No, but be extremely cautious of just using "any passport" module --- some are not really vetted. ----- That all being said I would familiarize yourself with what cookie based authentication is, and what other options there are. A lot of people like to use redis as a session store but don't put a password on redis ‍♂️ – Cody G Jul 11 '20 at 01:53
  • https://stackoverflow.com/questions/17769011/how-does-cookie-based-authentication-work – Cody G Jul 11 '20 at 01:57

1 Answers1

3

Passport.js provides authentication, not security. It is fairly easy to misconfigure by following online tutorials, so take care - the tool is only as good as the hand it is in. To add security to passport, you will need at the very least three additional elements:

  1. Strong state model for the session (or token) that does not leak private fields and uses argon2 for password hashing.
  2. No mistakes on the front-end with CSRF or XSS.
  3. Rate and buffer limitters on Node itself or, even better, on your reverse proxy.
Dima Kotik
  • 31
  • 2