#1 By: mills, December 22nd, 2013 16:42
I'm working on a simple node + express + mongoDB CRUD app on Heroku, and I was wondering - does anyone have any opinions / advice on how to do user authentication? I don't think I need anything super fancy; I just want users to be able to create & login to a profile and CRUD the database entries corresponding to that profile. The Stormpath add on looked pretty cool, but (and please correct me if I'm wrong) seems to be a ruby thing only - is there a nodeish equivalent? Thanks in advance!
#2 By: Zeke Sikelianos, December 22nd, 2013 17:41
Express has Basic Auth built in: http://expressjs.com/api.html#basicAuth
If you want a more comple user system, I recommend using OAuth. Passport is probably the most popular OAuth library for node. See http://passportjs.org/
#3 By: mills, December 22nd, 2013 23:48
Cool, thanks! I have passport up and running without too much grief; the only thing that remains dubious to me is how to be responsible with my users' passwords. I'm using bcrypt to hash them before I stick them in my database ala this pretty great article pretty much verbatim (in just plain mongodb without mongoose but whatever), but (and apologies if I'm just wrong and have no idea) - doesn't that all happen server-side? Aren't my users still sending plain text passwords to me that can be intercepted?
Either way, this is great progress thanks to your solid recommendation, thanks very much!
#4 By: john497, December 31st, 2013 11:40
This why you use https when sending data. Basic Auth requires that password be base64 encoded, but obviously that's not going to stop anyone that has access from figuring it out. So, you're going to be sending them plain text, but the http protocol + SSL will ensure that this is decently secure.
Sounds like you're doing good with bcrypt on the server. My advice is to not re-write username/password authentication and to offload your authentication to an existing OAuth provider (provided that that's feasible within your application guidelines).
#5 By: Jan Wrobel, January 7th, 2014 04:43
wwwhisper add-on just released support for Node.js (it previously supported Ruby Rack apps only). It uses Persona for authentication, so password storage is not an issue.