WebFund 2013F: Tutorial 11
In this tutorial you'll be looking at how authenticated sessions can be done in Node. Note that this example uses SSL to protect passwords being sent to the server. Thus, you will need to connect to https://localhost:3000 rather than the standard http address. You will also get a warning about the self-signed certificate; this is normal. However, you may want to try examining the certificate to see what information it contains.
Note that if you were doing authentication in a real application, you should probably use a more mature solution like everyauth or Passport; however, this solution does follow standard practice of storing the password in a form that is (somewhat) hard to reverse (hashed and salted) and it uses SSL.
The sample express application is demo-auth-hash-ssl. You can download it with modules or without. It behaves similarly to the sessions demo from October 4th, except that sessions and users are persistent across server restarts in addition to the use of password authentication.
You should get the application running, look at the code, and then attempt to answer the questions below about the code and make the suggested modifications.
Note for Windows users
This code uses OpenSSL's implementation of bcrypt. Thus building this on Windows machines can be tricky if OpenSSL is not installed. See the node bcrypt package documentation for more information on how to use this on Windows.
A reasonable question here is, why not use a JavaScript implementation of the crypto primitives? They do exist; however, you should always use CERTIFIED IMPLEMENTATIONS of cryptography in your applications. If it hasn't been properly tested and evaluated, you are running very very serious risks. Friends don't let friends implement cryptography for anything except personal entertainment!
Having said that, you should be able to get the code working using pure JavaScript with bcryptjs or bcrypt-nodejs packages with minor changes to the application.
Questions
You will get full credit for this tutorial for attending and showing a TA that you can at least answer a few of the questions below. You are highly encouraged, though, to try and answer all of the following during tutorial.
- What is the difference between the Login and Register button on the initial screen?
- This app requires two packages that directly access MongoDB. What are they?
- What is the name of the MongoDB collection that is used to store usernames and hash passwords?
- What MongoDB collection is used to store session information?
- How long before this app's session cookies expire?
- Once the application is running successfully, kill the MongoDB server and see how the application behaves when you attempt to register a new user. Does it "succeed" or does it report an error? Is the user properly registered?
- In the POST function for /login, it processes a username and password supplied by the user. How are they accessed? Where did this information come from? And, are they validated in any way?
- What CSS templating language does this application use?
- What is MongoStore storing? What node component(s) are using it?
- Change the app to use raw MongoDB calls rather than Mongoose for storing the username and password. How much harder is it to do this?