Scribd
Upload
64 views8 pages

Node JS: by Chandan Naresh

This document discusses authentication, authorization, and security considerations when building a Node.js application. It covers common authentication strategies like username/password, OAuth, and JSON web tokens. It also describes how to implement token-based authentication with Express using JWT tokens generated on the server and sent to clients. Finally, it discusses using the bcrypt library to securely hash passwords and the Express Validator middleware for input validation.

Uploaded by

Chandan Naresh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
64 views8 pages

Node JS: by Chandan Naresh

This document discusses authentication, authorization, and security considerations when building a Node.js application. It covers common authentication strategies like username/password, OAuth, and JSON web tokens. It also describes how to implement token-based authentication with Express using JWT tokens generated on the server and sent to clients. Finally, it discusses using the bcrypt library to securely hash passwords and the Express Validator middleware for input validation.

Uploaded by

Chandan Naresh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 8

NODE JS

By Chandan Naresh
AUTHENTICATION –
AUTHORIZATION
Process of validating if the user is genuine /valid to access sensitive data/resources.
Process of providing access only to applied area of the web application.
Common authentication strategies
 Window auth
 LDAP Auth
 Email-Id/Password Auth
 Token Auth
 Google Auth
 Facebook Auth
 Phone Number Auth
 OpenID

Authentication Libraries
 Passport.js, Auth0 SDK, firebase sdk, firebase admin
JWT TOKEN AUTH FLOW

GET: http://localhost:3000/user/data
POST: http://localhost:3000/login Token: 383802899899

1. Validate and
sanitize input
2. Check
id/password
exists in db
3. Generate jwt
token
4. Send the token
JSON WEB TOKEN
Open standard RFC 7519 implementation to represent claims securely between two
parties
Use SHA246/RSA algoritm to sign the token
Generated on Server – Send to client
Cannot be tampered
Use for authorization on subsequent client request over resources/routes/endpoint
Jsonwebtoken package to generate token
NODE JS – EXPRESS
VALIDATOR
Middleware library for input validation and sanitization
 npm i express-validator

Features includes
 Sanitization [example, normalizeEmail(), trim(), escape(), toBoolean()]
 Validation [example, check(),body(),cookie(),header(),param(),query(),oneOf(),checkSchema()]

Example
import { body, validationResult } from 'express-validator';

app.post(
'/user',
// username must be an email
body('username').isEmail(),
// password must be at least 5 chars long
body('password').isLength({ min: 5 }),
(req: express.Request, res: express.Response) => {
// Finds the validation errors in this request and wraps them in an object with handy functions
const errors = validationResult(req);
if (!errors.isEmpty()) {
return res.status(400).json({ errors: errors.array() });
}

User.create({
username: req.body.username,
password: req.body.password,
}).then(user => res.json(user));
},
);
BCRYPT
Hashing library to hash password
Bcrypt npm
Used on Server
Example:
bcrypt.hash(myPlaintextPassword, saltRounds, function(err, hash)
{ // Store hash in your password DB. });

// Load hash from your password DB.


bcrypt.compare(myPlaintextPassword, hash, function(err, result)
{ // result == true });
bcrypt.compare(someOtherPlaintextPassword, hash, function(err,
result) { // result == false });
SECURITY CONSIDERATION
Ensure proper Sanitization of input data
Nodes/Endpoint should be restricted with Authorization middleware
Password should be saved in hash format.
Token timeout should be limited
Log invalid/failed authentication attempt
Disable webserver directory listening
THANK YOU

You might also like