Users management

As I wrote in my last post, users can now register on my website. There was some tiny issue with password handling, but as it appeared, it was due to some stupid error of mine. I got rid of this error, so the users are saved fine to the database.

The thing is, that having user in the db is not enough.

First thing is that you have to be able to validate the user based on his login and password, but also you need to authenticate all requests that come in (for the restricted website areas, of course). That’s very interesting topic when you’re working on websites development in .NET – very often you don’t know, or simply don’t care about the basics of the communication and mechanisms involved in it, because .NET just does it for you. When you communicate with the server, you get the SessionID with your requests and based on that you can easily authenticate requests. When request is authenticated, you just call `Request.IsAuthenticated` and you’re ready to go. It’s .NET that generates this SessionID on the server side, and does all the nice things that you used to be working with.

But here, in JavaScript world, you have to take care of every single thing by yourself. So first you have to force your server to generate some kind of SessionID and make sure on the client you remember it when you’re sending your requests. Then you have to make sure your server remembers your SessionID as well and is able to say if your request is authenticated, or not. There are some other, very useful things you’d like to use in your app, like session expiration time so that your session doesn’t last forever, or more importantly, to prevent people from reading (or maybe ‘understanding’ is a better word) the cookies as that’s probably the place where you will keep that kind of data on the client side. As you may know, there’s not much to prevent others from reading your cookies, these are small text files and if only anybody can reach your storage, he can read it. So encrypting its contents would be a nice idea.

Looking from MEAN stack developer, you have to take care of different steps to make it working:

  1. Enable session state on the server, which is Express in this case. It will already send session id down to the client’s cookies. One can do this like in the code below. Of course there’s some more things you will need to care about (like cookies parsing mechanism), but for the sake of simplicity, we’ll just visualize the process:
    import express from 'express';
    import session from 'express-session';
    // Create our app with Express
    let app = express();
    
    app.use(session({ secret : "here goes your key for encryption" }));
    
  2. Our authentication middleware, which we will use for authenticating the incoming requests and session is PassportJS. So more configuration is needed.
    // PassportJS
    import passport from 'passport';
    
    app.use(passport.initialize());
    // Persistent login sessions
    app.use(passport.session());
    
    
  3. Now, in your express routes configuration, you have to configure your routes to authenticate request when it arrives (where you want the request content to be secured). next() moves to the next route.
    let auth = (req, res, next) => {
        if (!req.isAuthenticated()) {
            res.send(401);
        }
        else {
            next();
        }
    };
    

With this in place, user won’t get the data if he’s not authenticated. So how do we authenticate the user? We’ll get to this point in next post. For now my website finally is able to authenticate user upon login form submit, so we have both sign up and sign in operations working fine.

Since passport will authenticate the requests on the server side, we would still need something on the client side that would allow us controlling the authentication process when navigating over the website. As I already mentioned in my previous post, I think HTTP Interceptors will come handy here on the Angular2 level, but I didn’t even start to work on it, so that’s also content for one of the next posts. Stay tuned.

 

Leave a Reply

Your email address will not be published. Required fields are marked *