NodeJS Authentication Methods: Beginners' Guide

The management of the registered user is used while creating a user registration form. User role authentication is used in this situation. Non-admin users cannot access restricted information or make changes thanks to role authentication. It gives admin users access to administrative functions while giving basic users access to basic functions. 

Authentication vs Authorization 

Authentication 

It can appear that authorization and authentication are the same things. But there is a significant distinction between entering a building (authentication) and what you can do inside (authorization). 

The act of authenticating a user involves getting credentials and utilizing those credentials to confirm the person's identity. The authorization process starts if the certificates are legitimate. 

We all go through the authentication procedure every day, whether at work (signing onto your computer) or at home, so you are undoubtedly already familiar with it (passwords or logging into a website). Many "things" connected to the Internet demand credentials to confirm your identity. 

Authentication Techniques

1. Using a password for authentication 

The easiest method of authenticating is this one. It needs the password associated with the specified username. The user will be successfully authenticated if the password and username match and both information match the system's database. 

2. Password-free identification 

A link or OTP (one-time password) is sent to the user's registered mobile number or phone number in place of a password in this procedure. Authentication based on an OTP can also be mentioned. 

3. 2FA/MFA 

The highest level of authentication is known as 2FA/MFA or two-factor authentication/multi-factor authentication. Authenticating the user requires additional PIN or security questions. 

4. One-time password 

Access to numerous applications can be made possible by using single sign-on or SSO. Once logged in, the user can immediately sign into all other online apps using the same centralized directory. 

5. Social Authentication 

Social authentication checks the user using the already-existing login credentials for the relevant social network; it does not call for additional security. 

Authorization

Allowing authenticated users access to resources involves authorizing them after determining whether they have system access permissions. You can also limit access rights by approving or rejecting particular licenses for authenticated users. 

After the system confirms your identification, authorization takes place, giving you complete access to all the system's resources, including data, files, databases, money, places, and anything else. 

Your ability to access the system and how much access you have depends on this approval. 

Authorization Methods

1. Role-based access controls (RBAC):  

This type of authorization grants users access to data in accordance with their positions within the company. For instance, all employees inside a corporation might have access to personal data, such as pay, vacation time, but not be able to edit it. However, HR may be granted access to all employee HR data and be given the authority to add, remove, and modify this information. Organizations may make sure each user is active while limiting access to sensitive information by granting permissions based on each person's function. 

2. Attribute-based access control (ABAC):  

ABAC uses several distinct attributes to grant users authorization at a finer level than RBAC. User attributes including the user's name, role, organization, ID, and security clearance may be included. Environmental factors including the time of access, the location of the data, and the level of organizational danger currently in effect may be included. Additionally, it might contain resource information like the resource owner, file name, and data sensitivity level. The aim of ABAC, which is a more intricate authorization process than RBAC, is to further restrict access. For instance, to preserve strict security boundaries, access can be restricted to specific geographic regions or times of the day rather than allowing all HR managers in a business to update employees' HR data. 

Types of Authentications in Node.js

1. Session Based Authentication

The session-based authentication is summarized in this figure quite simply. Let's put it into code to make it clearer. 

First, create Node.js project and run the following line of code from your project directory's terminal. 

npm install express express-session mongoose connect-mongo 
const express = require('express'); 
const app = express(); 
const mongoose = require('mongoose'); 
const MongoStore = require('connect-mongo'); 
const session = require('express-session'); 
await mongoose.connect('your_mongo_url', (err, db) => { 
            console.log('MongoDB Connected....'); 
      }); 
app.get('/', (req,res)=>{ 
    res.send('<h1>Hello World!</h1>')   
}) 
app.listen(3000, () => console.log(`Server running on 3000`)); 

This section of code will launch our server on Port 3000.  

Let's now set up the MongoDB Store to store sessions. 

app.use(session({ 
    secret: 'fiwafhiwfwhvuwvu9hvvvwv', // Never ever share this secret in production, keep this in separate file on environmental variable 
    resave: false, 
    saveUninitialized: true, 
    cookie: { maxAge: oneDay }, 
    store: MongoStore.create({ 
        mongoUrl: 'your_mongo_url' 
    }) 
})); 

This section of code created an empty Session object for a request using the express-session package. 

In our MongoDB database, this will therefore create a new empty session with the collection name sessions. 

Let's build a user login route. 

app.post('/login', async (req, res) => { 
    const { username, password } = req.body;     
try { 
        let user = await User.findOne({ email: username }) 
        req.session.userId = user.id; 
 
        console.log(req.session); 
 
        res.redirect('/dashboard') 
 
    } catch (err) { 
        console.log(err); 
        res.json({ msg: 'Server Error! Please reload page' }); 
    } 
}) 

This block of code is now crucial. So, when a user uses their username and password to access their account, we send a request to our server and keep it in the session. Req.session.userId keeps the user's distinct _id in the session, and the server generates a special session id and stores it in a cookie that is sent back to the client and kept in the client's browser. The header of every request the client sends to the server will include this cookie.  We can authenticate that specific user on the server side by using that cookie in the header and collecting the user's userId. 

module.exports.authentication = async (req, res, next) => { 
    const userId = req.session.userId; 
    if (!userId) { 
        return res.redirect('/login?q=session-expired'); 
    } 
    try { 
        let user = await User.findById(userId); 
        if (!user) { 
            return res.redirect('/login?q=session-expired'); 
        } 
        next(); 
    } catch (err) { 
        console.log(err); 
        res.json({ msg: 'Server error. Please reload page after sometime' }) 
    } 
}; 

This type of middleware function can be developed so that we can authenticate the user for each request made on protected routes, such as dashboards, booking histories, payment routes, etc., and then display the appropriate information based on the user's preferences. 

2. Token Based Authentication

If a user logs in using the proper credentials, token-based authentication generates a token (a lengthy string of random alphanumeric characters) and sends it back to the client's browser in which it is saved (in localStorage, SessionStorage or cookie). Now, each time a user sends a request to the server, the token they previously stored in their browser is sent back to the server, where it is checked by some middleware before returning the necessary resources. 

Let's put it into code.

First, create an empty node app and run the following command: 

npm install express jsonwebtoken mongoose 
const express = require('express'); 
const app = express(); 
const mongoose = require('mongoose'); 
const jwt = require('jsonwebtoken'); 
await mongoose.connect('your_mongo_url', (err, db) => { 
            console.log('MongoDB Connected....'); 
      }); 
app.get('/', (req,res)=>{ 
    res.send('<h1>Hello World!</h1>');  
}) 
app.listen(3000, () => console.log(`Server running on 3000`)); 

This section of code will launch our server on Port 3000.  

app.post("/login", async (req, res) => { 
  try { 
    const { username, password } = req.body; 
    const user = await User.findOne({ username }); 
    if (!user) { 
      return res.json({ msg: "Please enter a valid username" }); 
    } 
    const accessToken = jwt.sign( 
        { username, id: user._id }, 
        JWT_SECRET, 
        { 
          expiresIn: process.env.NODE_ENV === "production" ? "6h" : "2 days", 
        } 
      ); 
      res.json({ msg: "User logged in!", accessToken }); 
  } catch (err) { 
    console.log(err); 
    res.status(503).json({ msg: "Server error!" }); 
  } 
}); 

Therefore, the code block above posts the login information and logs the user in. Let's see how the jwt.sign() function generates our access token. 

A new web token can be created using the sign() method of the JWT (Json Web Token) in order to covertly include user information. The jwt.sign() function has three parameters. Let's talk about them one by one. 

• The data that will be saved in the token. Either a string or a javascript object may be used. In this example, the access token had the username and id (a mongodb-generated unique id). 
• The JWT SECRET is the second parameter. It is crucial not to display it during production because it could be anything (a random string). Environment variables should be used to store the JWT SECRET. Later, it will be applied to authenticate the user and check the JWT Token. 
• The third parameter refers to the access token's optional attributes, such as the expiration date, httpOnly, and others. 

This function will provide us a jwt access token, which is a string of randomly generated characters. Possibly like this: 

eyJhbGciOiJIUzI1NiJ9.eyJpZCI6IjYwZndmNzA5N2ZmN2YwOTdmMDk5IiwidXNlcm5hbWUiOiJsYXZpc2hnb3lhbCJ9.kNPmoyim0KbrHw6Fl2NPdUWO3UdZ1cr3rFH4eZy9Dig 

Furthermore, to see that this token includes user details, open a new tab on your browser, visit to https://jwt.io, and paste the above access token in the encoded input box to get the user id and username as displayed below. 

The process for encoding the token is in the first part, followed by the user information we submitted and the JWT Secret, which will be used to validate the user later (which we'll do right now). 

const authenticateToken = (req, res, next) => { 
  const authHeader = req.headers["authorization"]; 
  const token = authHeader && authHeader.split(" ")[1]; 
  if (token === null) return res.status(401).json({ msg: "Not Authorized" }); 
  jwt.verify(token, JWT_SECRET, (err, user) => { 
    if (err) return res.status(401).json({ msg: err }); 
    req.user = user; 
    next(); 
  }); 
}; 

401 is the status When the client supplies either no credentials or insufficient credentials referencing Unauthorized. 

After this data block has verified the incoming JWT token and verified the user's identity, we can continue with the rest of the data handling. Three parameters are passed to jwt.verify(), the first of which is the token that we'll get from the client. Whether cookies or headers can be used to obtain the token. The authorization header is where the token is sent in this case. 

Now, all protected routes can utilize the above authenticateToken middleware method to check whether a user is authorized to access data there. As an illustration: 

app.get("/dashboard", authenticateToken, (req,res)=>{ 
   res.send('<h1>Welcome to dashboard</h1>') 
}) 

Therefore, we utilized the authenticateToken middleware method in the code above, If the client's request has a valid JWT token, the user will get the Welcome to dashboard header otherwise. 

3. Passwordless Authentication

The other forms of authentication cannot even remotely compare to this one. To log in, no credentials are required. You will receive a magic link or one-time password each time you wish to log in; all you need is an email address or phone number linked to an account. When you click the link, the app opens, and you will have already logged in. After that, the magic link is no longer active and cannot be used by anybody else. 

A JWT is also generated along with the magic link when it is created. In this way, authentication takes place. It's much more difficult for hackers to break into your machine using this login technique. 

import cors from "cors"; 
import express from "express"; 
const PORT = process.env.PORT || 4000; 
const app = express(); 
// Set up middleware 
app.use(cors()); 
app.use(express.json()); 
app.use(express.urlencoded({ extended: false })); 
// Login endpoint 
app.post("/login", (req, res) => { 
  const email = req.body.email; 
  if (!email) { 
    res.statusCode(403); 
    res.send({ 
      message: "There is no email address that matches this.", 
    }); 
  } 
  if (email) { 
    res.statusCode(200); 
    res.send(email); 
  } 
}); 
// Start up the server on the port defined in the environment 
const server = app.listen(PORT, () => { 
  console.info("Server running on port " + PORT) 
}) 
export default server   

After setting up this foundational server, we can begin including more features. Let's add the email service we'll be using right away. Import nodemailer after adding it to your package.json. 

import nodeMailer from "nodemailer";  

After that, we'll create an email transporter below the middleware. This code creates the email template with some basic HTML and configures nodemailer. 

const transport = nodeMailer.createTransport({ 
  host: process.env.EMAIL_HOST, 
  port: 587, 
  auth: { 
      user: process.env.EMAIL_USER, 
      pass: process.env.EMAIL_PASSWORD 
  } 
}); 
// Make email template for magic link 
const emailTemplate = ({ username, link }) => ` 
  <h2>Hey ${username}</h2> 
  <p>Here's the login link you just requested:</p> 
  <p>${link}</p> 

The token that contains the user's information must then be created. This is merely an illustration of some of the fundamental components that a token might contain. User permissions, unique access codes, and other details that would be useful in your programme could also be included. 

const makeToken = (email) => { 
  const expirationDate = new Date(); 
  expirationDate.setHours(new Date().getHours() + 1); 
  return jwt.sign({ email, expirationDate }, process.env.JWT_SECRET_KEY); 
}; 

An alternate approach to learning more about Node.js apps and environment variables is to go through the Node.js certification by knowledgeHut . 

Guide to Node.js User Authentication with Auth0 

You may secure your web application stack without being an expert in identity standards like OAuth 2.0 or OpenID Connect with the aid of Auth0. You must first incorporate Auth0 into your application. When users need to log in, your application will reroute them to an Auth0 customizable login page. When users successfully log in, Auth0 returns them to your app with JSON Web Tokens (JWTs) containing their authentication and user data. 

Get the Starter Application

To give you practical experience with node server security topics, we have developed a starter project. The starter application handles the styling and layout of your application using Bootstrap and a custom theme. To protect your application, you can concentrate on creating Express js components. 

To begin, clone the auth0-express-pug-sample repository's starting branch: 

git clone -b starter git@github.com:auth0-blog/auth0-express-pug-sample.git 

Install Node.js dependencies: 

npm install 

Create and populate .env file with: 

DEV_PORT=4041 
PROD_PORT=4040 

Run Node.js server by entering the command shown below: 

npm run dev 

By leveraging Browsersync, Express server templates may emulate the live reload functionality of front-end frameworks like React and Angular. So when source code is modified, such as when you alter a CSS rule or change a function's return value, the browser will immediately refresh. 

The following command should be entered in a different command prompt to serve as your express application user interface: 

npm run ui 

Connect Express with Auth0 

During the registration process, an Auth0 Tenant, which symbolizes the product or service to which you are adding authentication, is formed. 

Auth0 directs you to the Dashboard after you log in. Click "Applications" on the left sidebar menu. 

Next, select "Create Application" from the menu. A modal window with a form for naming the programme and selecting its kind appears. 

For the process to be finished, select "Create" button. The page for your Auth0 application opens. 

You don't need to create Node.js login forms if you utilize Auth0. To lessen the administrative burden of implementing and managing authentication, Auth0 provides a Universal Login page. 

How does the Universal Login function? 

Every time an authentication request is made by a user in your Express application, they are redirected to Auth0. They will see a login screen from Auth0. Following their successful login, Auth0 will reroute them to your Express application. The URLs that Auth0 can send users to after authenticating them must be specified in your Auth0 Application Settings so that they are redirected to the place safely. 

Configure Express to use the Auth0 configuration variables. 

To enable the connection bridge you constructed to be used by your Express application, you need the Auth0 Domain and Client ID data from the Auth0 Application Settings page. 

In your auth0-express-pug-sample project directory, open the .env file and make the following changes: 

DEV PORT=4041  

PROD PORT=4040  

AUTH0 ISSUER BASE URL=https://<AUTH0 DOMAIN>/  

AUTH0 CLIENT ID=  

The domain from the "Settings" is represented by <AUTH0 DOMAIN> for the AUTH0_ISSUER_BASE_URL value.  

Client ID can be found in the "Settings" as AUTH0_CLIENT_ID. 

With the aid of these variables, your Express application can establish its legitimacy when communicating with the Auth0 authentication server. 

Setup of the Auth0 and Express connections 

You've finished configuring a login that your Express application can utilize. The final step is to continue adding components as you develop the basic project all through Node.js tutorial in order to start the Node.js authentication flow and manage it. 

Join our Full stack Development course to advance your software development skills.  

Set Up Express OpenID Connect 

To connect the Express OpenID Connect library with your Express application, you must adhere to these procedures. 

Install Express OpenID Connect 

Run the following: 

npm install express-openid-connect 

Configure Express OpenID Connect

Open the .env file and edit them: 

DEV_PORT=4041 

PROD_PORT=4040 

AUTH0_ISSUER_BASE_URL=<...> 

AUTH0_CLIENT_ID=<...> 

BASE_URL=http://localhost:4040 

SESSION_SECRET= 

• To create an acceptable string for the session secret, use the following command: 

node -e "console.log (crypto.randomBytes(32).toString('hex'))"  

• The output of the aforementioned command should be copied and pasted into the value for SESSION SECRET in .env. 
• You must restart the Node.js server to notice these updated environment variables. Find the terminal window where you previously executed npm run dev, close it, and then run it once more. 

User authentication is a method for keeping track of who is using your application and limiting their access. For instance, you can restrict access to some areas for users who are not logged in. 

Users will be stopped and asked for their credentials by Auth0 if they attempt to enter a protected route from your application. Auth0 will admit them if it can confirm their identity and they have permission to enter. If not, Auth0 will redirect them to a route for a public application. 

It's crucial to stress once more that the authentication procedure won't take place at the application layer. When a user visits the Auth0 Universal Login page from your Express application, Auth0 api requests their credentials and then sends them back to your application with the results of the authentication process. 

The auth router is provided by the Express OpenID Connect library so that your application can attach authentication routes. Express OpenID Connect will handle the implementation of /login and /logout controllers for you. 

Express-openid-connect must now be initialized, set up, and integrated with your Express authentication application. 

Open src/index.js and update the Required External Modules section to import auth: 

// src/index.js 
const express = require('express'); 
const path = require('path'); 
const { auth } = require('express-openid-connect'); 

Then, update the App Configuration section to initialize and use auth as an Express middleware function: 

app.set('views', path.join(__dirname, 'views')); 
app.set('view engine', 'pug'); 
app.use(express.static(path.join(__dirname, '..', 'public'))); 
app.use( 
  auth({ 
    issuerBaseURL: process.env.AUTH0_ISSUER_BASE_URL, 
    baseURL: process.env.BASE_URL, 
    clientID: process.env.AUTH0_CLIENT_ID, 
    secret: process.env.SESSION_SECRET, 
    authRequired: false, 
    auth0Logout: true, 
  }), 
); 

The two new properties authRequired and auth0Logout are being added.  

When you set the boolean value authRequired to true, Express OpenID Connect is configured to demand authentications for all routes. You'll have a mixture of public and protected pathways for this project. This property is therefore set to false. 

Another boolean parameter called auth0Logout makes it possible to log out a user from an Auth0 session by enabling the Auth0 logout capability. There are normally three sessions layers to consider when adding logout functionality to an application: 

• Identity Provider Session Layer  
• Application Session Layer  
• Auth0 Session Layer 

One can configure the Auth0 authentication api to log the user out from the application, from the Auth0 session, or from Google itself, for instance, when one of your users signed in using Google.  

Add User Authentication

For your users to initiate the authentication events of sign-in, sign-out, and registration, you must design UI components. 

An oidc namespace is created by Express OpenID Connect in the req object of your application. The library keeps authentication methods and information in this namespace, including a user object to contain user profile data and a login function to personalise the login process. 

Create a Login Button

Establish a login button. src/components/ directory's pug file: 

touch src/components/login-button.pug 

Create a mixin in src/components/login-button.pug to serve as a representation of a login button component: 

mixin login-button() 
  button( 
    class="btn btn-primary btn-block", 
    onclick="window.location='/login'" 
  ) Log In 

Create a sign-up button

Create a /signup route controller to force users to land on a sign-up page rather than a login page. 

Open the src/index.js file to get started. Find the section on Routes Definitions. Routes for each feature of your Express web application are defined in several subsections under this section. Find the > Authentication subsection and make the following changes: 

app.get('/signup', (req, res) => { 
  res.oidc.login({ 
    authorizationParams: { 
      screen_hint: 'signup', 
    }, 
  }); 
}); 

You develop a route controller for /sign-up that has access to the res.oidc.login() method. To modify the user login experience, this technique requires certain LoginOptions. 

Here, you override the pre-configured authorizationParams, which Express OpenID Connect uses to direct users to Auth0 for login when redirecting them to a URL. 

Depending on your use case, you can pass new values to modify what the Auth0 authorization server returns. Just specify the screen hint=signup property as an authorization parameter in your /sign-up controller to include all to a sign-up form. 

{ 
  authorizationParams: { 
    screen_hint: "signup", 
  }, 
} 

Retrieving User Information 

You can customise the Express application's user interface by using profile information that is kept in your Auth0 user database. This profile information is made available in the req.oidc.user object by the node express OpenID Connect library. The name, nickname, image, and email of the logged-in user are just a few of the user details that are accessible. 

In the Routes Definitions > Profile section of src/index.js, change the /profile route controller as follows: 

app.get('/profile', (req, res) => { 
  res.render('profile', { 
    user: req.oidc.user, 
  }); 
}); 

Next, make the following changes to the /profile template found in src/views/profile.pug: 

extends ../components/layout 
block content 
  if user 
    div 
      div(class="row align-items-center profile-header") 
        div(class="col-md-2 mb-3") 
          img( 
            class="rounded-circle img-fluid profile-picture mb-3 mb-md-0" 
            src=user.picture 
            alt="Profile" 
          ) 
        div(class="col-md text-center text-md-left") 
          h2 #{user.name} 
          p(class="lead text-muted") #{user.email} 
      div(class="row") 
        pre(class="col-12 text-light bg-dark p-4") 
          | #{JSON.stringify(user, null, 2)} 

You might consider protected user information to be rendered using the profile template. In addition, if no user is currently logged in, the user property is null. In either case, Auth0 should have authorized the user before this component renders. 

Protecting Routes

You can use the requiresAuth() middleware function exposed by the Express OpenID Connect module to make users log in before they can access a certain route. Users who attempt to access the route using Express without being logged in will be redirected to the Auth0 Universal Login page.  

Open src/index.js and update the Required External Modules 
const express = require('express'); 
const path = require('path'); 
const { auth, requiresAuth } = require('express-openid-connect'); 
Update the Routes Definitions > Profile subsection of src/index.js  
app.get('/profile', requiresAuth(), (req, res) => { 
  res.render('profile', { 
    user: req.oidc.user, 
  }); 
}); 

Now, when users access a protected route without being logged in, your Express application will reroute them to the login page. The user will be redirected to the page they were looking for before logging in by Auth0 after logging in. 

You can now verify that access to /profile requires users to log in. Try to view the Profile page once again after logging out. If it succeeds, Express directs you to use Auth0 to log in. 

Calling an API 

When you utilize Auth0, you give a centralized service control over the authentication process. You could log users in and out of your Express application using Auth0. The secured resources from an external API, such as contacts, images, or purchase histories, can yet be accessed by your application. 

Auth0 can also be used to secure an API. You may integrate Auth0 with your backend platform via a variety of API quickstarts. 

By using Auth0 to secure your API, you also give control over the authorization procedure to a centralized service, ensuring that only authorized client programmes can access secured resources on a user's behalf. 

Are you ready to become a Python master? Join our Python Master Course and unlock the secrets of this powerful programming language. From beginner to expert, we've got you covered. Don't miss out on this unique opportunity to level up your coding skills. Enroll now!

Conclusion

To identify your users, obtain user profiles, and manage the material that your users can access, you have developed user authentication in Express by securing routes and API resources. 

JWT, authentication, authorization, and CORS were all topics covered. Additionally, we discovered how to build a Node.js API that uses a JWT token for authentication. 

You might not have the time to put the effort into creating your own authentication system. You may incorporate authentication into your app using a variety of already-existing libraries and services. Some of the most popular ones include Auth0 and Passport.js. 

Now that you’ve learned a bit more about Authentication in Node.js, it's high time to learn Node.js in depth with KnowledgehHut’s Node.js certification and utilize this in real Node.js projects.