WebFund 2013F: Assignment 4: Difference between revisions

From Soma-notes
Created page with "'''This assignment is not yet finalized.'''"
 
No edit summary
Line 1: Line 1:
'''This assignment is not yet finalized.'''
'''This assignment is not yet finalized.'''
In this tutorial you'll be looking at how authenticated sessions can be done in Node.  Note that this example '''sends passwords in the clear to the server'''.  If you wanted to prevent this, you would need to add SSL support to your application, e.g., using the [http://nodejs.org/api/https.html https npm module].
The sample express application is [http://homeostasis.scs.carleton.ca/~soma/webfund-2013f/demo-auth-hash.zip demo-auth-hash].  It behaves similarly to the [[WebFund 2013F: Tutorial 5|sessions tutorial]] from October 4th.  The only difference here, though, is the server doesn't store plaintext passwords, and it stores them in MongoDB.
You should get the application running, look at the code, and then attempt to answer the following questions about this code.  Expect to see modified versions of these questions soon...
===Note for Windows users===
This code uses OpenSSL's implementation of bcrypt.  Thus building this on Windows machines can be tricky if OpenSSL is not installed.  See [https://npmjs.org/package/bcrypt the node bcrypt package documentation] for more information on how to use this on Windows.
A reasonable question here is, why not use a JavaScript implementation of the crypto primitives?  They do exist; however, you should always use CERTIFIED IMPLEMENTATIONS of cryptography in your applications.  If it hasn't been properly tested and evaluated, you are running very very serious risks.  Friends don't let friends implement cryptography for anything except personal entertainment!
Having said that, you should be able to get the code working using pure JavaScript with the [https://npmjs.org/package/bcrypt-nodejs bcrypt-nodejs] package with minor changes to the application.
==Questions==
# This app requires two packages that directly access MongoDB.  What are they?
# What is the name of the MongoDB collection that is used to store usernames and hash passwords?
# What MongoDB collection is used to store session information?
# How long before this app's session cookies expire?
# Once the application is running successfully, kill the MongoDB server and see how the application behaves when you attempt to register a new user.  Does it "succeed" or does it report an error?  Is the user properly registered?
# In the POST function for /login, it processes a username and password supplied by the user.  How are they accessed?  Where did this information come from?
# What CSS templating language does this application use?
# What is MongoStore storing?  What node component(s) are using it?
# Change the app to use raw MongoDB calls rather than Mongoose for storing the username and password.  How much harder is it to do this?

Revision as of 18:53, 21 November 2013

This assignment is not yet finalized.

In this tutorial you'll be looking at how authenticated sessions can be done in Node. Note that this example sends passwords in the clear to the server. If you wanted to prevent this, you would need to add SSL support to your application, e.g., using the https npm module.

The sample express application is demo-auth-hash. It behaves similarly to the sessions tutorial from October 4th. The only difference here, though, is the server doesn't store plaintext passwords, and it stores them in MongoDB.

You should get the application running, look at the code, and then attempt to answer the following questions about this code. Expect to see modified versions of these questions soon...

Note for Windows users

This code uses OpenSSL's implementation of bcrypt. Thus building this on Windows machines can be tricky if OpenSSL is not installed. See the node bcrypt package documentation for more information on how to use this on Windows.

A reasonable question here is, why not use a JavaScript implementation of the crypto primitives? They do exist; however, you should always use CERTIFIED IMPLEMENTATIONS of cryptography in your applications. If it hasn't been properly tested and evaluated, you are running very very serious risks. Friends don't let friends implement cryptography for anything except personal entertainment!

Having said that, you should be able to get the code working using pure JavaScript with the bcrypt-nodejs package with minor changes to the application.


Questions

  1. This app requires two packages that directly access MongoDB. What are they?
  2. What is the name of the MongoDB collection that is used to store usernames and hash passwords?
  3. What MongoDB collection is used to store session information?
  4. How long before this app's session cookies expire?
  5. Once the application is running successfully, kill the MongoDB server and see how the application behaves when you attempt to register a new user. Does it "succeed" or does it report an error? Is the user properly registered?
  6. In the POST function for /login, it processes a username and password supplied by the user. How are they accessed? Where did this information come from?
  7. What CSS templating language does this application use?
  8. What is MongoStore storing? What node component(s) are using it?
  9. Change the app to use raw MongoDB calls rather than Mongoose for storing the username and password. How much harder is it to do this?