Skip to content
/ web-authentication-documentation Public

web-authentication-documentation with [learnwithfair, Learn with fair, Rahatul Rabbi, Md Rahatul Rabbi ,rahatulrabbi]. In this repo I describes about Database Matching, Database Encryption Hashing, Hashing + Salting Password, Cookies and Session with Passport, Google OAuth with passport session based, Passport-jwt (token based)

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

learnwithfair/web-authentication-documentation

BranchesTags

Repository files navigation

WEB-AUTHENTICATION-DOCUMENTATION

Thanks for visiting my GitHub account!

Web Authentication is a web standard published by the World Wide Web Consortium. WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance see-more

Source Code (Download)

Click Here

Authentication Schema
Schema
schema

Table of Contents

  1. Database Matching
  2. Database Encryption
  3. Hashing Password
  4. Hashing + Salting Password
  5. Cookies & Session with Passport
  6. Google OAuth with passport session based
  7. Passport-jwt (token based)
  8. Follow Me

Level 1: Database matching

  • save(), find({property: value})
  • if hacker can access our database then our data is too much human readable
  • password checker online

Level 2: Database Encryption

  • read mongoose encryption documentation: https://www.npmjs.com/package/mongoose-encryption

  • install mongoose encryption npm install mongoose-encryption

  • create new mongoose Schema

    const mongoose = require("mongoose");
const encrypt = require("mongoose-encryption");

const userSchema = new mongoose.Schema({
  name: String,
  age: Number,
  // whatever else
});

  • create an encryption key inside .env file

    ENCRYPTION_KEY = thisismyencryptionkey;

  • set encryption key with our schema

    const encrypt = require("mongoose-encryption");

const encKey = process.env.ENCRYPTION_KEY;
// encrypt age regardless of any other options. name and _id will be left unencrypted
userSchema.plugin(encrypt, {
  secret: encKey,
  encryptedFields: ["age"],
});

User = mongoose.model("User", userSchema);

Level 3: Hashing password

  • no cncryption key; we will use hashing algorithm

  • hackers can not convert to plain text as no encryption key is available

  • md5 package: https://www.npmjs.com/package/md5

  • install md5 npm package: npm install md5

  • usage

    var md5 = require("md5");
console.log(md5("message"));
// 78e731027d8fd50ed642340b7c9a63b3

// hash password when create it
const newUser = new User({
  email: req.body.username,
  password: md5(req.body.password),
});

app.post("/login", async (req, res) => {
  try {
    const email = req.body.email;
    const password = md5(req.body.password);
    const user = await User.findOne({ email: email });
    if (user && user.password === password) {
      res.status(200).json({ status: "valid user" });
    } else {
      res.status(404).json({ status: "Not valid user" });
    }
  } catch (error) {
    res.status(500).json(error.message);
  }
});

Level 4: Hashing + salting password

  • we can hash the password with some random number(salting)

  • install bcrypt npm package npm install bcrypt

  • usage

    const bcrypt = require("bcrypt");
const saltRounds = 10;

app.post("/register", async (req, res) => {
  try {
    bcrypt.hash(req.body.password, saltRounds, async function (err, hash) {
      const newUser = new User({
        email: req.body.email,
        password: hash,
      });
      await newUser.save();
      res.status(201).json(newUser);
    });
  } catch (error) {
    res.status(500).json(error.message);
  }
});

app.post("/login", async (req, res) => {
  try {
    const email = req.body.email;
    const password = req.body.password;
    const user = await User.findOne({ email: email });
    if (user) {
      bcrypt.compare(password, user.password, function (err, result) {
        if (result === true) {
          res.status(200).json({ status: "valid user" });
        }
      });
    } else {
      res.status(404).json({ status: "Not valid user" });
    }
  } catch (error) {
    res.status(500).json(error.message);
  }
});

Level 5: Cookies & Session with passport

  • passport local strategy

  • npm install passport passport-local passport-local-mongoose express-session

  • my computer browser -> browse aliexpress (GET Request) -> to aliexpress server -> response the website -> add some items to the cart (post request to the server) -> aliexpress server will response and tell the browser to create a file in my computer for storing my selection -> so when next time we make a get request to the server we send the cookie with the get request -> server will return the cart again

  • cookie is a text file created by server on a user's device when we visit a website

  • that stores limited information such as login credentials - username, password; user preferences, cart contents from a web browser session

  • saving users behaviour

  • read more about cookies - https://www.trendmicro.com/vinfo/us/security/definition/cookies

  • types of cookies -> session cookie, presistent cookie, supercookie

  • login -> save user credentials as cookie for next time authentication -> log out and the session is destroyed

  • salt and hash is automatically generated by passport-local-mongoose

  • express session package create the cookie

  1. passport js framework has 2 separeate libraries
  • Passport JS Library (main) - maintain session information for user authentication
  • strategy library - methodology for authenticate an user - passport-local, passport-facebook, passport-oauth2 etc.

  1. Login process handled by 2 steps: i) session management (Passport.js), ii) authentication (strategy) npm install passport-local npm install passport-facebook

  2. for managing session Passport.js library takes help from express-session library npm install passport express-session

  3. source code

  • bootstrap the project

    • installing & requiring packages npm install express nodemon dotenv mongoose ejs cors

    • creating server

      //app.js
const express = require("express");
const cors = require("cors");
const ejs = require("ejs");

const app = express();

app.set("view engine", "ejs");
app.use(cors());
app.use(express.urlencoded({ extended: true }));
app.use(express.json());

module.exports = app;

//index.js
const app = require("./app");
const PORT = 4000;
app.listen(PORT, () => {
  console.log(`app is running at http://localhost:${PORT}`);
});

    • creating routes including try,catch

      // base url
app.get("/", (req, res) => {
  res.render("index");
});

// register routes
app.get("/register", (req, res) => {
  res.render("register");
});

app.post("/register", (req, res) => {
  try {
    res.status(201).send("user is registered");
  } catch (error) {
    req.status(500).send(error.message);
  }
});

// login routes
app.get("/login", (req, res) => {
  res.render("login");
});

app.post("/login", (req, res) => {
  try {
    res.status(201).send("user is logged in");
  } catch (error) {
    req.status(500).send(error.message);
  }
});

// logout routes
app.get("/logout", (req, res) => {
  res.redirect("/");
});

// profile protected routes
app.get("/profile", (req, res) => {
  res.render("profile");
});

    • creating ejs files

      • create layout

        <!-- views/layout/header.ejs -->
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
    <meta
      name="viewport"
      content="width=device-width, initial-scale=1.0"
    />
    <title>Document</title>
  </head>
  <body>
    <header>
      <nav>
        <a href="/">Home</a>
        <a href="/register">Register</a>
        <a href="/login">Login</a>
        <a href="/profile">Profile</a>
        <a href="/logout">Logout</a>
      </nav>
    </header>
  </body>
</html>

<!-- views/layout/footer.ejs -->
    <footer>
      <p>copyright by Rahatul Rabbi</p>
    </footer>
  </body>
</html>

      • create pages

        <!-- views/index.ejs -->
<%-include("layout/header")%>
<main>
  <h1>Home Page</h1>
</main>
<%-include("layout/footer")%>

<!-- views/register.ejs -->
<%-include("layout/header")%>
<main>
  <h1>Register Page</h1>
  <form action="/register" method="post">
    <div>
      <label for="username">username: </label>
      <input type="text" id="username" name="username" />
    </div>
    <br />
    <div>
      <label for="password">password: </label>
      <input type="password" id="password" name="password" />
    </div>
    <br />
    <button type="submit">Register</button>
  </form>
</main>
<%-include("layout/footer")%>

<!-- views/login.ejs -->
<%-include("layout/header")%>
<main>
  <h1>Login Page</h1>
  <form action="/register" method="post">
    <div>
      <label for="username">username: </label>
      <input type="text" id="username" name="username" />
    </div>
    <br />
    <div>
      <label for="password">password: </label>
      <input type="password" id="password" name="password" />
    </div>
    <br />
    <button type="submit">Login</button>
  </form>
</main>
<%-include("layout/footer")%>

<!-- views/profile.ejs -->
<%-include("layout/header")%>
<main>
  <h1>Profile Page</h1>
</main>
<%-include("layout/footer")%>

  • create model and connect to mongodb

    // models/user.model.js
const mongoose = require("mongoose");
const userSchema = mongoose.Schema({
  username: {
    type: String,
    require: true,
    unique: true,
  },
  password: {
    type: String,
    require: true,
  },
});
const User = mongoose.model("User", userSchema);
module.exports = User;

// config/database.js
const mongoose = require("mongoose");
mongoose
  .connect("mongodb://localhost:27017/passportDB")
  .then(() => {
    console.log("db is connected");
  })
  .catch((error) => {
    console.log(error.message);
  });

// app.js
require("./config/database");

  • register an user

//app.js
const User = require("./models/user.model");

app.post("/register", async (req, res) => {
  try {
    const user = await User.findOne({ username: req.body.username });
    if (user) return res.status(400).send("User already exist");
    const newUser = new User(req.body);
    await newUser.save();
    res.status(201).send(newUser);
  } catch (error) {
    req.status(500).send(error.message);
  }
});
  • encrypt the user password using bcrypt hashing+salting npm install bcrypt
//app.js
const bcrypt = require("bcrypt");
const saltRounds = 10;

app.post("/register", async (req, res) => {
  try {
    const user = await User.findOne({ username: req.body.username });
    if (user) return res.status(400).send("User already exist");

    bcrypt.hash(req.body.password, saltRounds, async (err, hash) => {
      const newUser = new User({
        username: req.body.username,
        password: hash,
      });
      await newUser.save();
      res.redirect("/login");
    });
  } catch (error) {
    res.status(500).send(error.message);
  }
});

  • create and add session npm install passport express-session connect-mongo

    //Import the main Passport and Express-Session library
const passport = require("passport");
const session = require("express-session");
// for storing session in different collection
const MongoStore = require("connect-mongo");

// setting middleware
app.set("trust proxy", 1); // trust first proxy
app.use(
  session({
    secret: "keyboard cat",
    resave: false,
    saveUninitialized: true,
    store: MongoStore.create({
      mongoUrl: "mongodb://localhost:27017/testPassportDB",
      collectionName: "sessions",
    }),
    // cookie: { secure: true },
    // cookie: { maxAge: 1000 * 60 * 60 * 24 },
  })
);

app.use(passport.initialize());
// init passport on every route call.
app.use(passport.session());
// allow passport to use "express-session".

  • set passport-local configuration npm install passport-local

    // passport.js
const User = require("../model/user.model");
const passport = require("passport");
const bcrypt = require("bcrypt");
const LocalStrategy = require("passport-local").Strategy;
passport.use(
  new LocalStrategy(async function (username, password, done) {
    try {
      const user = await User.findOne({ username: username });
      // wrong username
      if (!user) {
        return done(null, false, { message: "Incorrect Username" });
      }

      // wrong password
      if (!bcrypt.compare(password, user.password)) {
        return done(null, false, { message: "Incorrect Password" });
      }

      // if user found
      return done(null, user);
    } catch (error) {
      return done(error);
    }
  })
);

// create session id
// whenever we login it creares user id inside session
passport.serializeUser((user, done) => {
  done(null, user.id);
});

// find session info using session id
passport.deserializeUser(async (id, done) => {
  try {
    const user = await User.findById(id);
    done(null, user);
  } catch (error) {
    done(error, false);
  }
});

  • authenticate user using passport-local

// app.js
// login using passport-local strategy
const checkLoggedIn = (req, res, next) => {
  if (req.isAuthenticated()) {
    return res.redirect("/profile");
  }
  next();
};

// login routes
app.get("/login", checkLoggedIn, (req, res) => {
  try {
    res.render("login");
  } catch (error) {
    req.status(500).send(error.message);
  }
});

// register routes
app.get("/register", checkLoggedIn, (req, res) => {
  res.render("register");
});

  • check user is already logged in or not

    const checkAuthenticated = (req, res, next) => {
  if (req.isAuthenticated()) {
    return next();
  }
  res.redirect("/login");
};

// profile protected routes
app.get("/profile", checkAuthenticated, (req, res) => {
  res.render("profile");
});

  • logout route setup

    // logout routes
app.get("/logout", (req, res) => {
  try {
    req.logout((err) => {
      if (err) {
        return next(err);
      }
      res.redirect("/");
    });
  } catch (error) {
    req.status(500).send(error.message);
  }
});

  • finally the entire app.js

    const express = require("express");
const cors = require("cors");
const ejs = require("ejs");
const bcrypt = require("bcrypt");
const saltRounds = 10;
const passport = require("passport");
const session = require("express-session");
// for storing session in different collection
const MongoStore = require("connect-mongo");

require("./config/database");
require("./config/passport");

const User = require("./model/user.model");

const app = express();

app.set("view engine", "ejs");
app.use(cors());
app.use(express.urlencoded({ extended: true }));
app.use(express.json());

// setting middleware
app.set("trust proxy", 1); // trust first proxy
app.use(
  session({
    secret: "keyboard cat",
    resave: false,
    saveUninitialized: true,
    store: MongoStore.create({
      mongoUrl: "mongodb://localhost:27017/passportDB",
      collectionName: "sessions",
    }),
    // cookie: { maxAge: 1000 * 60 * 60 * 24 },
  })
);

app.use(passport.initialize());
// init passport on every route call.
app.use(passport.session());
// allow passport to use "express-session".

const checkLoggedIn = (req, res, next) => {
  if (req.isAuthenticated()) {
    return res.redirect("/profile");
  }
  next();
};

// base url
app.get("/", (req, res) => {
  res.render("index");
});

// register routes
app.get("/register", checkLoggedIn, (req, res) => {
  res.render("register");
});

app.post("/register", async (req, res) => {
  try {
    const user = await User.findOne({ username: req.body.username });
    if (user) return res.status(400).send("User already exist");

    bcrypt.hash(req.body.password, saltRounds, async (err, hash) => {
      const newUser = new User({
        username: req.body.username,
        password: hash,
      });
      await newUser.save();
      res.redirect("/login");
    });
  } catch (error) {
    res.status(500).send(error.message);
  }
});

// login routes
app.get("/login", checkLoggedIn, (req, res) => {
  res.render("login");
});

app.post(
  "/login",
  passport.authenticate("local", { successRedirect: "/profile" })
);

// logout routes
app.get("/logout", (req, res) => {
  try {
    req.logout((err) => {
      if (err) {
        return next(err);
      }
      res.redirect("/");
    });
  } catch (error) {
    req.status(500).send(error.message);
  }
});

const checkAuthenticated = (req, res, next) => {
  if (req.isAuthenticated()) {
    return next();
  }
  res.redirect("/login");
};

// profile protected routes
app.get("/profile", checkAuthenticated, (req, res) => {
  res.render("profile");
});

module.exports = app;

Level 6: Google OAuth with passport session based

  • setup database name in db and also for session

  • change in schema

    const mongoose = require("mongoose");
const userSchema = mongoose.Schema({
  username: {
    type: String,
    require: true,
    unique: true,
  },
  googleId: {
    type: String,
    require: true,
  },
});

const User = mongoose.model("User", userSchema);
module.exports = User;

  • inside login ejs add <a href="/auth/google">Login with Google</a>

  • create dynamic user name in profile page Welcome <%=username%>

  • configure strategy

    • we need client id, client secret
    // passport.js
require("dotenv").config();
const User = require("../models/user.model");
const passport = require("passport");

const GoogleStrategy = require("passport-google-oauth20").Strategy;

passport.use(
  new GoogleStrategy(
    {
      clientID: process.env.GOOGLE_CLIENT_ID,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET,
      callbackURL: "http://localhost:5000/auth/google/callback",
    },
    function (accessToken, refreshToken, profile, cb) {
      User.findOne({ googleId: profile.id }, (err, user) => {
        if (err) return cb(err, null);

        // not a user; so create a new user with new google id
        if (!user) {
          let newUser = new User({
            googleId: profile.id,
            username: profile.displayName,
          });
          newUser.save();
          return cb(null, newUser);
        } else {
          // if we find an user just return return user
          return cb(null, user);
        }
      });
    }
  )
);

// create session id
// whenever we login it creares user id inside session
passport.serializeUser((user, done) => {
  done(null, user.id);
});

// find session info using session id
passport.deserializeUser(async (id, done) => {
  try {
    const user = await User.findById(id);
    done(null, user);
  } catch (error) {
    done(error, false);
  }
});

// app.js
const express = require("express");
const cors = require("cors");
const ejs = require("ejs");
const app = express();
require("./config/database");
require("dotenv").config();
require("./config/passport");
const User = require("./models/user.model");

const passport = require("passport");
const session = require("express-session");
const MongoStore = require("connect-mongo");

app.set("view engine", "ejs");
app.use(cors());
app.use(express.urlencoded({ extended: true }));
app.use(express.json());

app.set("trust proxy", 1); // trust first proxy
app.use(
  session({
    secret: "keyboard cat",
    resave: false,
    saveUninitialized: true,
    store: MongoStore.create({
      mongoUrl: process.env.MONGO_URL,
      collectionName: "sessions",
    }),
    // cookie: { secure: true },
  })
);

app.use(passport.initialize());
app.use(passport.session());

// base url
app.get("/", (req, res) => {
  res.render("index");
});

const checkLoggedIn = (req, res, next) => {
  if (req.isAuthenticated()) {
    return res.redirect("/profile");
  }
  next();
};

// login : get
app.get("/login", checkLoggedIn, (req, res) => {
  res.render("login");
});

app.get(
  "/auth/google",
  passport.authenticate("google", { scope: ["profile"] })
);

app.get(
  "/auth/google/callback",
  passport.authenticate("google", {
    failureRedirect: "/login",
    successRedirect: "/profile",
  }),
  function (req, res) {
    // Successful authentication, redirect home.
    res.redirect("/");
  }
);

const checkAuthenticated = (req, res, next) => {
  if (req.isAuthenticated()) {
    return next();
  }
  res.redirect("/login");
};

// profile protected route
app.get("/profile", checkAuthenticated, (req, res) => {
  res.render("profile", { username: req.user.username });
});

// logout route
app.get("/logout", (req, res) => {
  try {
    req.logout((err) => {
      if (err) {
        return next(err);
      }
      res.redirect("/");
    });
  } catch (error) {
    res.status(500).send(error.message);
  }
});

module.exports = app;

Level 7: passport-jwt (token based)

  • how token based works
    • user register using username, password to the server -> server creates a token for the user -> so next time when user make any request server give access by validating the given token
  • folder and file structure
    • server
      • models
        • user.model.js
      • config
      • app.js
      • index.js
      • .env
      • .gitignore
  • initialize npm and install package npm init -y && npm install express nodemon cors dotenv bcrypt mongoose
  • test

Follow Me

Facebook, Youtube, Instagram

About

web-authentication-documentation with [learnwithfair, Learn with fair, Rahatul Rabbi, Md Rahatul Rabbi ,rahatulrabbi]. In this repo I describes about Database Matching, Database Encryption Hashing, Hashing + Salting Password, Cookies and Session with Passport, Google OAuth with passport session based, Passport-jwt (token based)

Topics

hashing authentication auth passportjs jwt-authentication passport-local salting database-encryption web-authentication passport-google-oauth20 rahatulrabbi learnwithfair rahatul-rabbi learn-with-fair database-matching

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages