CHAPTER 18. Security

Authentication

Passport

git clone https://github.com/passport/todos-express-starter.git username-password-tutorial

Node.js Basics

  1. Installing Node.js:

  2. Checking Node.js Version:

    • Check the installed Node.js version: node -v

  3. npm (Node Package Manager):

    • Install packages: npm install package-name

    • Initialize a new project: npm init

  4. Creating a Basic Server:

    • Create a simple HTTP server:

 const http = require('http');
 const server = http.createServer((req, res) => {
   res.writeHead(200, { 'Content-Type': 'text/plain' });
   res.end('Hello, Node.js!');
 });
 server.listen(3000, 'localhost', () => {
   console.log('Server is running on http://localhost:3000/');
 });

Modules

  1. CommonJS Modules:

    • Node.js uses CommonJS module system.

    • Import modules: const module = require('module-name')

    • Export modules: module.exports = something

  2. Built-in Modules:

    • Node.js provides a set of core modules like fs, http, and path.

  3. Creating and Using Custom Modules:

    • Create a module in a separate file and use require to import it.

File System Operations

  1. fs (File System):

    • Read a file: fs.readFile('file.txt', 'utf8', (err, data) ⇒ { /* …​ */ });

    • Write to a file: fs.writeFile('file.txt', 'data', (err) ⇒ { /* …​ */ });

  2. Path Module:

    • Handle file and directory paths: const path = require('path');

Asynchronous Programming

  1. Callbacks:

    • Use callbacks to handle asynchronous operations.

  2. Promises:

    • Promises provide a cleaner way to handle async operations.

    • Create a Promise with new Promise((resolve, reject) ⇒ { /* …​ */ });

  3. Async/Await:

    • Modern way to handle async operations using async and await keywords.

Event Emitter

  1. EventEmitter:

    • Core module for handling events in Node.js.

  2. Custom Events:

    • Create and emit custom events using EventEmitter.

HTTP and Networking

  1. http Module:

    • Create HTTP servers and clients.

    • Make HTTP requests using http.get() or http.request().

  2. Express.js:

    • Popular web framework for building web applications and APIs.

Working with JSON

  1. JSON Parsing:

    • Parse JSON: JSON.parse(jsonString)

  2. JSON Stringify:

    • Convert an object to JSON: JSON.stringify(jsonObject)

Debugging

  1. console.log():

    • Print messages to the console for debugging.

  2. Node.js Debugger:

    • Debug Node.js applications using the built-in debugger.

Streams

  1. Streams:

    • Efficiently process data in chunks, such as files or network data.

  2. Readable Streams:

    • Read data from a source.

  3. Writable Streams:

    • Write data to a destination.

Express.js Basics

  1. Installing Express.js:

    • Install Express.js using npm: npm install express

  2. Creating an Express App:

    • Import and initialize Express: const express = require('express');

    • Create an Express application: const app = express();

  3. Starting the Server:

    • Start the server on a specific port: app.listen(3000, () ⇒ console.log('Server started on port 3000'));

  4. Routing:

    • Define routes using HTTP verbs (GET, POST, PUT, DELETE).

  5. Middleware:

    • Use middleware functions for request processing.

    • Add middleware using app.use().

  6. Static Files:

    • Serve static files (e.g., CSS, images) using express.static() middleware.

Routing

  1. Basic Routing:

    • Handle requests with app.get(), app.post(), etc.

    • Define route parameters with :param.

  2. Route Parameters:

    • Access route parameters using req.params.

  3. Route Handlers:

    • Define route-specific middleware using app.use().

  4. Middleware Functions:

    • Middleware functions have access to req (request) and res (response) objects.

  5. Error Handling:

    • Handle errors with app.use() middleware functions with four parameters (error handling middleware).

  6. Redirects:

    • Redirect requests using res.redirect().

Request and Response Objects

  1. req (Request Object):

    • Contains information about the incoming request (e.g., req.params, req.query).

  2. res (Response Object):

    • Used to send responses to the client.

  3. Response Methods:

    • res.send(): Send a response.

    • res.json(): Send JSON response.

    • res.status(): Set the HTTP status code.

    • res.render(): Render HTML templates.

Middleware

  1. Custom Middleware:

    • Create custom middleware functions using app.use().

  2. Third-party Middleware:

    • Use third-party middleware for tasks like body parsing (body-parser) and authentication (passport).

Templating Engines

  1. Using Templating Engines:

    • Integrate templating engines like EJS or Pug using app.set('view engine', 'engine-name').

  2. Rendering Views:

    • Render views using res.render().

RESTful APIs

  1. RESTful Routes:

    • Design routes following RESTful principles (e.g., /api/users, GET /api/users/:id).

  2. CRUD Operations:

    • Implement CRUD (Create, Read, Update, Delete) operations for resources.

  3. JSON API:

    • Serve and consume JSON data for RESTful APIs.

Authentication and Authorization

  1. Authentication:

    • Implement user authentication using middleware (e.g., Passport.js).

  2. Authorization:

    • Control access to routes using authorization middleware.

Error Handling

  1. Global Error Handler:

    • Create a global error handler to catch and handle errors.

  2. HTTP Error Codes:

    • Use appropriate HTTP status codes (e.g., 404 for not found, 500 for server errors).

  3. Logging Errors:

    • Log errors for debugging and monitoring.

Passport.js Basics

  1. Installing Passport.js:

    • Install Passport.js using npm: npm install passport

  2. Setting Up Passport.js:

    • Import Passport.js and initialize it:

 const passport = require('passport');
 app.use(passport.initialize());
 app.use(passport.session());
  1. Authentication Strategies:

    • Passport.js supports various authentication strategies, including Local, OAuth, and more.

Local Authentication (Username/Password)

  1. Local Strategy:

    • Authenticate users with a username and password.

    • Install passport-local strategy: npm install passport-local

  2. Configuring the Local Strategy:

    • Configure Passport to use the Local Strategy:

 const LocalStrategy = require('passport-local').Strategy;

 passport.use(new LocalStrategy(
   (username, password, done) => {
     // Find user in the database and verify credentials
     // Call done() with user or false based on authentication
   }
 ));
  1. Serializing and Deserializing Users:

    • Serialize user to the session and deserialize user from the session:

 passport.serializeUser((user, done) => {
   done(null, user.id);
 });

 passport.deserializeUser((id, done) => {
   // Retrieve user by ID from the database
   done(null, user);
 });
  1. Authentication Routes:

    • Create routes for login, registration, and logout.

  2. Middleware:

    • Protect routes by adding passport.authenticate() as middleware.

OAuth Authentication

  1. OAuth Strategies:

    • Implement OAuth authentication with strategies like Google, Facebook, Twitter, etc.

    • Install passport-oauth strategy: npm install passport-oauth

  2. Configuring OAuth Strategies:

    • Configure Passport to use an OAuth strategy:

 const OAuthStrategy = require('passport-oauth').OAuthStrategy;

 passport.use(new OAuthStrategy(
   {
     // Strategy options
   },
   (token, tokenSecret, profile, done) => {
     // Verify user and fetch profile
     // Call done() with user or false based on authentication
   }
 ));
  1. OAuth Redirects:

    • Handle OAuth callback and redirect URLs.

  2. Middleware:

    • Protect routes with passport.authenticate() for OAuth authentication.

Custom Authentication Strategies

  1. Custom Strategies:

    • Implement custom authentication strategies by extending passport.Strategy.

  2. Configuring Custom Strategies:

    • Configure and use custom strategies with Passport.js.

Sessions and Cookies

  1. Sessions:

    • Passport.js manages user sessions.

    • Serialize and deserialize user objects to/from sessions.

  2. Cookies:

    • Passport.js uses cookies to store session data.

User Authorization

  1. User Roles and Permissions:

    • Implement user roles and permissions to control access to resources.

  2. Authorization Middleware:

    • Create custom authorization middleware functions.

OAuth Basics

  1. What is OAuth?:

    • OAuth (Open Authorization) is an open standard protocol for securing authorization and authentication between two parties, often referred to as the client and the resource owner (usually a user).

  2. OAuth Roles:

    • Resource Owner: The user who grants access to their protected resources.

    • Client: The application requesting access to the protected resources.

    • Authorization Server: The server that authenticates the user and issues access tokens.

    • Resource Server: The server that hosts the protected resources.

  3. OAuth Flows:

    • OAuth defines multiple flows, including:

    • Authorization Code Flow

    • Implicit Flow

    • Client Credentials Flow

    • Resource Owner Password Credentials Flow

  4. Access Token:

    • An access token is a short-lived credential that authorizes the client to access specific resources on behalf of the user.

  5. Refresh Token:

    • A refresh token is a long-lived credential used to obtain a new access token when it expires without requiring the user to log in again.

OAuth 2.0 Authorization Code Flow

  1. Authorization Request:

    • The client initiates the flow by redirecting the user to the authorization server’s authorization endpoint.

    • Includes client ID, redirect URI, and scope.

  2. User Authentication:

    • The user authenticates with the authorization server.

  3. Authorization Grant:

    • After successful authentication, the authorization server redirects the user back to the client’s redirect URI with an authorization code.

  4. Access Token Request:

    • The client exchanges the authorization code for an access token by making a POST request to the token endpoint.

    • Includes client credentials, authorization code, and redirect URI.

  5. Access Token Response:

    • The authorization server responds with an access token and, optionally, a refresh token.

  6. Accessing Protected Resources:

    • The client uses the access token to request and access protected resources from the resource server.

OAuth 2.0 Implicit Flow

  1. Authorization Request:

    • Similar to the Authorization Code Flow but returns the access token directly in the URL fragment.

  2. User Authentication:

    • The user authenticates with the authorization server.

  3. Access Token Response:

    • The authorization server sends the access token as a URL fragment to the client’s redirect URI.

  4. Accessing Protected Resources:

    • The client can immediately access protected resources using the access token.

OAuth 2.0 Client Credentials Flow

  1. Access Token Request:

    • The client directly requests an access token from the authorization server by sending its client credentials (client ID and client secret).

  2. Access Token Response:

    • The authorization server responds with an access token.

  3. Accessing Protected Resources:

    • The client uses the access token to access protected resources from the resource server.

OAuth 2.0 Resource Owner Password Credentials Flow

  1. Access Token Request:

    • The client requests an access token by sending the user’s credentials (username and password) to the authorization server.

  2. Access Token Response:

    • The authorization server responds with an access token.

  3. Accessing Protected Resources:

    • The client uses the access token to access protected resources from the resource server.

OAuth 2.0 Security Best Practices

  1. Use HTTPS:

    • Always use HTTPS to secure communication between the client and the authorization server.

  2. Client Authentication:

    • Protect client credentials, and consider using client authentication for all flows.

  3. Token Expiration and Refresh:

    • Implement token expiration and refresh mechanisms to enhance security.

  4. Scopes:

    • Limit the scope of access requested by the client to the minimum required for its functionality.

  5. User Consent:

    • Ensure users provide informed consent before granting access to their data.

  6. Token Revocation:

    • Implement token revocation to allow users to revoke access.

  7. Token Storage:

    • Safely store tokens on the client-side, using best practices for securing tokens.