Create a Simple and Secure Node Express App (original) (raw)

Learn how to secure a simple Node.js and Express app by adding user authentication with Passport.js and Auth0.

Read on 💚

Brought to you by @dan-auth0 👨‍💻t2:

Node.js is both a platform and a topic that I love. Let me know how you like this blog post, what questions you may have, and/or what others topics related to Node you’d like to read. I am here for you!

Nice tutorial. I like seeing the non-JWT side of things. I have a question about sessions though.

I read that Express sessions basically set a cookie with the ID of the session, and then for each subsequent request, the Express middleware you set up will perform a session lookup to attach the session data to the req object, and that’s how the subsequent middleware like your app routes will have access to the logged in user. Since I didn’t see you connect anything like Redis or any database to the session middleware, I’m guessing it’s storing it in memory.

What do you do when you’ve got an app that is horizontally scaled? Perhaps it’s deployed to Heroku, AWS Lambda, or a Kubernetes cluster with pod autoscaling enabled, and once traffic scales up, there will be more than one process that your visitors hit. Can you override the session middleware to store session values in something that each process can access, like Redis?

Edit:

Found the answer after more digging. The readme for the session middleware itself talks about implementing custom session stores and lists popular libraries that are already capable of storing sessions in things like Redis, PostgreSQL, MongoDB, and even the cloud databases like AWS DynamoDB and Google Cloud Firestore. Neat. (GitHub - expressjs/session: Simple session middleware for Express)

Great tutorial!

I follow all the steps on the blog but is is error saying passport.initialize is not a middleware,

and i see some changes in the code in github in the ENV part that solves the issue

@johndavemanuel you need to install passport
npm install passport

dan.woda August 16, 2019, 6:13pm 6

Hi @aparralorenzo,

Welcome to the Auth0 Community Forum!

Thanks for helping out on this.

@johndavemanuel Did this solve you problem?

In the future please create a new topic for your problem with a link to the blog/doc. This helps us answer your questions more quickly!

Thanks,
Dan

conor October 9, 2019, 7:08am 7

Hi, thanks for the tutorial but I’m not having much success with it.

Even if I git clone the project, npm install and create the relevant .env file, I always end up in a redirect loop when trying to signup/login, irrespective of login type (happens on email/pw too).

It just pingpongs between

https://mydomain.eu.auth0.com/authorize?response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&state=blah&client_id=blah

and

http://localhost:3000/callback?state=blah

This is with Node 10.x latest on Windows 10. Is that config known to work? Any other info I can provide to help debug?

Thanks
Conor

Hey there @conor!

Thanks for reporting that and providing that context. I’m sure that @dan-auth0 who is the article author will look into it soon and help you troubleshoot that!

I am on it. I’ll double check the content again. I don’t have access to Windows but I’ll reproduce the blog post using Linux as you may be able to use the Linux Subsystem in Windows which can give us a common ground 🤔

Thank you for your time reading this post!

conor October 10, 2019, 3:28pm 10

Thanks Dan. I tried it on OSX today with the same result.

dan-auth0 October 10, 2019, 8:59pm 12

I am going to rework some of the post. There are some areas of it that make it difficult to know where to enter new code. Give me till the end of the week and I’ll have it ready. It’s working for me but it was a bit confusing :grimacing:

conor October 11, 2019, 5:35am 13

Appreciate it Dan thanks! So should I ignore the github repo for the moment?

dan-auth0 October 11, 2019, 1:18pm 14

Please do 🙏I was trying the “multi-folder” approach with that repo… haha and I think it’s way too confusing. I"ll be using branches instead 💪

I got the review of the first part done yesterday (code is the same) and I’ll work auditing/restructuring the second part today :slight_smile:

dan-auth0 October 14, 2019, 9:07pm 15

I haven’t forgotten about you :slight_smile: I ended up optimizing some of the content of the first part. I will be working on the second time tomorrow. Thank you again for reading our content :+1:

conor October 15, 2019, 9:10am 16

Thanks again Dan. I’ll give it a try when you’re done with the second half.

Thanks a lot for letting us know Conor! Stay tuned!

Conor, thank you for your patience. It took longer than expected but here it is:

I rewrote both parts. They are now more independent of each other and I also hope this part is now easier to follow along. Let me know what you think, please 🙏

The rewrite of Part 1 should be going live next week.

conor October 20, 2019, 8:01am 19

That’s exactly what I needed Dan. Worked perfectly. Thanks again!

Wooohooo! Perfect to hear that @conor!

jburklund November 12, 2019, 3:23pm 21

Thanks for the tutorial! I’m getting an error "ReferenceError: Cannot access ‘session’ before initialization at the line app.use(expressSession(session)); and not sure where I went wrong.