user authentication libraries for node js

Question

Are there any existing user authentication libraries for node js  In particular I m looking for something that can do password authentication for a user  using a custom backend auth DB   and associate that user with a session   Before I wrote an auth library  I figured I would see if folks knew of existing libraries  Couldn t find anything obvious via a google search   -Shreyas

User · Answer

If you are looking for an authentication framework for Connect or Express, Passport is worth investigating: https://github.com/jaredhanson/passport

(Disclosure: I'm the developer of Passport)

I developed Passport after investigating both connect-auth and everyauth. While they are both great modules, they didn't suit my needs. I wanted something that was more light-weight and unobtrusive.

Passport is broken down into separate modules, so you can choose to use only what you need (OAuth, only if necessary). Passport also does not mount any routes in your application, giving you the flexibility to decide when and where you want authentication, and hooks to control what happens when authentication succeeds or fails.

For example, here is the two-step process to setup form-based (username and password) authentication:

passport.use(new LocalStrategy(
  function(username, password, done) {
    // Find the user from your DB (MongoDB, CouchDB, other...)
    User.findOne({ username: username, password: password }, function (err, user) {
      done(err, user);
    });
  }
));

app.post('/login', 
  passport.authenticate('local', { failureRedirect: '/login' }),
  function(req, res) {
    // Authentication successful. Redirect home.
    res.redirect('/');
  });

Additional strategies are available for authentication via Facebook, Twitter, etc. Custom strategies can be plugged-in, if necessary.

User · Answer

If you need authentication with SSO  Single Sign On  with Microsoft Windows user account  You may give a try to https   github com jlguenego node-expose-sspi   It will give you a req sso object which contains all client user information  login  display name  sid  groups    const express   require  express    const   sso  sspi     require  node-expose-sspi     sso config debug   false   const app   express     app use sso auth      app use  req  res  next    gt      res json       sso  req sso            app listen 3000       gt  console log  Server started on port 3000       Disclaimer  I am the author of node-expose-sspi

User · Answer

Here are two popular Github libraries for node js authentication   https   github com jaredhanson passport   suggestible    https   nodejsmodules org pkg everyauth

User · Answer

Here is a new authentication library that uses timestamped tokens   The tokens can be emailed or texted to users without the need to store them in a database   It can be used for passwordless authentication or for two-factor authentication   https   github com vote539 easy-no-password  Disclosure  I am the developer of this library

User · Answer

A few years have passed and I d like to introduce my authentication solution for Express  It s called Lockit  You can find the project on GitHub and a short intro at my blog   So what are the differences to the existing solutions    easy to use  set up your DB  npm install  require  lockit    lockit app   done routes already built-in   signup   login   forgot-password  etc   views already built-in  based on Bootstrap but you can easily use your own views  it supports JSON communication for your AngularJS   Ember js single page apps it does NOT support OAuth and OpenID  Only username and password  it works with several databases  CouchDB  MongoDB  SQL  out of the box it has tests  I couldn t find any tests for Drywall  it is actively maintained  compared to everyauth  email verification and forgot password process  send email with token  not supported by Passport  modularity  use only what you need flexibility  customize all the things   Take a look at the examples

User · Answer

Looks like the connect-auth plugin to the connect middleware is exactly what I need I m using express   http   expressjs com   so the connect plugin fits in very nicely since express is subclassed  ok - prototyped  from connect

User · Answer

Session   If  I guess the reason that you haven t found many good libraries is that using a library for authentication is mostly over engineered   What you are looking for is just a session-binder    A session with   if login and user    xxx and pwd    xxx     then store an authenticated true into the session  if logout destroy session   thats it     I disagree with your conclusion that the connect-auth plugin is the way to go   I m using also connect but I do not use connect-auth for two reasons    IMHO breaks connect-auth the very powerful and easy to read onion-ring architecture of connect  A no-go - my opinion      You can find a very good and short article about how connect works and the onion ring idea here  If you - as written - just want to use a basic or http login with database or file  Connect-auth is way too big  It s more for stuff like OAuth 1 0   OAuth 2 0  amp  Co     A very simple authentication with connect   It s complete  Just execute it for testing but if you want to use it in production  make sure to use https   And to be REST-Principle-Compliant you should use a POST-Request instead of a GET-Request b c you change a state     var connect   require  connect    var urlparser   require  url     var authCheck   function  req  res  next        url   req urlp   urlparser parse req url  true                       Logout     if   url pathname      logout            req session destroy                              Is User already validated      if  req session  amp  amp  req session auth    true          next       stop here and pass to the next onion ring of connect       return                                Auth - Replace this example with your Database  Auth-File or other things        If Database  you need a Async callback        if   url pathname      login   amp  amp            url query name     max   amp  amp            url query pwd     herewego             req session auth   true        next          return                            This user is not authorized  Stop talking to him      res writeHead 403       res end  Sorry you are not authorized  n nFor a login use   login name max amp pwd herewego        return     var helloWorldContent   function  req  res  next        res writeHead 200     Content-Type    text plain          res end  authorized  Walk around    or use  logout to leave n nYou are currently at   req urlp pathname      var server   connect createServer        connect logger   format    method  url            connect cookieParser          connect session   secret   foobar            connect bodyParser          authCheck        helloWorldContent     server listen 3000     NOTE  I wrote this statement over a year ago and have currently no active node projects  So there are may be API-Changes in Express  Please add a comment if I should change anything

User · Answer

sweet-auth  A lightweight  zero-configuration user authentication module  It doesn t need a sperate database   https   www npmjs com package sweet-auth  It s simple as   app get   private-page    req  res    gt         if  req user isAuthorized               user is logged in  send the requested page            you can access req user email           else              user not logged in  redirect to login page

User · Answer

A word of caution regarding handrolled approaches  I m disappointed to see that some of the suggested code examples in this post do not protect against such fundamental authentication vulnerabilities such as session fixation or timing attacks  Contrary to several suggestions here  authentication is not simple and handrolling a solution is not always trivial   I would recommend passportjs and bcrypt  If you do decide to handroll a solution however  have a look at the express js provided example for inspiration  Good luck

User · Answer

There is a project called Drywall that implements a user login system with Passport and also has a user management admin panel  If you re looking for a fully-featured user authentication and management system similar to something like what Django has but for Node js  this is it  I found it to be a really good starting point for building a node app that required a user authentication and management system  See Jared Hanson s answer for information on how Passport works

User · Answer

Also have a look at everyauth if you want third party social network login integration

User · Answer

Quick simple example using mongo  for an API that provides user auth for ie Angular client  in app js  var express   require  express    var MongoStore   require  connect-mongo   express            app use express cookieParser        obviously change db settings to suit app use express session       secret   blah1234       store  new MongoStore           db   dbname           host   localhost           port  27017              app use app router     for your route something like this       mongo connection stuff   exports login   function req  res         var email   req body email         use bcrypt in production for password hashing     var password   req body password       db collection  users   function err  collection            collection findOne   email   email   password   password   function err  user                if  err                    res send 500                 else                   if user     null                        req session user   user                      res send 200                     else                       res send 401                                                            Then in your routes that require auth you can just check for the user session   if   req session user        res send 403

User · Answer

A different take on authentication is Passwordless  a token-based authentication module for express that circumvents the inherent problem of passwords  1   It s fast to implement  doesn t require too many forms  and offers better security for the average user  full disclosure  I m the author     1   Passwords are Obsolete

User · Answer

I was basically looking for the same thing  Specifically  I wanted the following    To use express js  which wraps Connect s middleware capability  Form based  authentication Granular control over which routes are authenticated A database back-end for users passwords Use sessions   What I ended up doing was creating my own middleware function check auth that I pass as an argument to each route I want authenticated  check auth merely checks the session and if the user is not logged in  then redirects them to the login page  like so   function check auth req  res  next           if the user isn t logged in  redirect them to a login page   if  req session login        res redirect   login        return     the buck stops here    we do not call next    because                we don t want to proceed  instead we want to show a login page            the user is logged in  so call next     next        Then for each route  I ensure this function is passed as middleware  For example   app get   tasks   check auth  function req  res           snip       Finally  we need to actually handle the login process  This is straightforward   app get   login   function req  res      res render  login    layout false         app post   login   function req  res          here  I m using mongoose js to search for the user in mongodb   var user query   UserModel findOne  email req body email   function err  user       if err          res render  login    layout false  locals   error err             return             if  user    user password    req body password          res render  login            layout false            locals   error  Invalid login    email req body email                            else            successful login  store the session info       req session login   req body email        res redirect                         At any rate  this approach was mostly designed to be flexible and simple  I m sure there are numerous ways to improve it  If you have any  I d very much like your feedback   EDIT  This is a simplified example  In a production system  you d never want to store  amp  compare passwords in plain text  As a commenter points out  there are libs that can help manage password security

User · Answer

Here is some code for basic authentication from one of my projects  I use it against CouchDB with and additional auth data cache  but I stripped that code   Wrap an authentication method around you request handling  and provide a second callback for unsuccessfull authentication  The success callback will get the username as an additional parameter  Don t forget to correctly handle requests with wrong or missing credentials in the failure callback          Authenticate a request against this authentication instance          param request     param failureCallback     param successCallback     return     Auth prototype authenticate   function request  failureCallback  successCallback        var requestUsername           var requestPassword           if   request headers  authorization                  failureCallback              else               var auth   this  decodeBase64 request headers  authorization             if  auth                        requestUsername   auth username              requestPassword   auth password                    else                       failureCallback                            TODO  Query your database  don t forget to do so async        db query  function result                if  result username    requestUsername  amp  amp  result password    requestPassword                        successCallback requestUsername                     else                       failureCallback                                   Internal method for extracting username and password out of a Basic    Authentication header field          param headerValue     return     Auth prototype  decodeBase64   function headerValue        var value      if  value   headerValue match   Basic  s  A-Za-z0-9                         var auth    new Buffer value 1          base64    toString  ascii            return               username   auth slice 0  auth indexOf                    password   auth slice auth indexOf        1  auth length                       else               return null

[authentication] user authentication libraries for node.js?

Examples related to authentication

Examples related to node.js

Examples related to serverside-javascript