node.js, express, mongo, and passport

Building on the tutorial from I wanted to add passport support to allow basic authentication to the site and there seemed to be a few too many conflicting and out of date instructions for what should have been a really simple process.

The objective is local username/password authentication and as we are doing that we might as well be good and store a password hash not the actual password in the db. This could easily be extended to be properly salted etc.

The extra modules we are using that need to be added to package.json are

passport": "*",
"passport-local": "*",
"crypto": "*",
"connect-flash": "*"

then of cause you need to issue a

npm --install

to drag in those extra modules

back in app.js we need to add the following at the top to require the correct modules

Right at the top before you require express

var flash = require('connect-flash'); //flash now should be before express and passport

then you also want to add at the end of the require list

var crypto = require('crypto');
var passport = require('passport');
var LocalStrategy = require('passport-local').Strategy;

Passport setup

To use basic local username passwords with passport you need the following code, the bits that were missing from many examples were the passport.serializeUser() and passport.deserializeUser() functions. In our setup we also reused the usercollection database in mongo called users that contains username and added a password hash and we are using SHA1 as the hash function (passport supports other hashes as well). This particular example takes the password hashes it then checks against the hash stored in the database. An improvement would be to send the hash in the post request instead of the plain text.

If you want to add a user to the mongo db then using the mongo console

use nodetest1
db.usercollection.insert({ "username" : "testuser1", "email" : "", "hash" : "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3"})

NB the hash is for the password test, so when we come to test this later username testuser1 password test

And this is the extra app.js code to setup passport.

var Users = db.get('usercollection');

passport.use(new LocalStrategy(function(username, password,done){
    Users.findOne({ username : username},function(err,user){
        if(err) { return done(err); }
            return done(null, false, { message: 'Incorrect username.' });

	var hash = crypto.createHash('sha1');
	var result = hash.digest('hex') ;
        if (result == user.hash) 
        	return done(null, user._id);
            done(null, false, { message: 'Incorrect password.' });

passport.serializeUser(function(user, done) {
    done(null, user);

passport.deserializeUser(function(id, done) {
            Users.findById(id, function(err,user){        

Now to hook in the passport to the flow in the app.use section before app.use(app.router); add

app.use(flash()); // this must be before passport setup

Ok cool passport is basically hooked in now so the remaining things are we need a username/password form a way to handle the post request when submitting that form and to prevent unauthorised access to special logged in only user pages. In this example we restrict access to /helloworld and add a login page called /login

function ensureAuthenticated(req, res, next) {
  if (req.isAuthenticated()) { return next(); }

app.get('/helloworld', ensureAuthenticated, routes.helloworld);
app.get('/login', routes.login);'/login',
  passport.authenticate('local', { successRedirect: '/helloworld',
                                   failureRedirect: '/login',
                                   failureFlash: true })

Adding the ensureAuthenticated will ensure the user is authenticated or redirect to the login page. So thats app.js complete now to add the routes in routes/index.js

All we need to add here is a handler to show the login form view

exports.login = function(req, res){
  res.render('login', { title: 'Login' });

Now to add the view in views/login.jade

extends layout

block content
  h1= title
            span(class=['input']) Username:
            input#inputName(type="text", placeholder="username", name="username")
            span(class=['input']) Password:
            input#inputName(type="password", placeholder="password", name="password")
      button#btnSubmit(type="submit") submit

passport expects username and password to be sent in fields called “username” and “password” and these get hooked through to the passport.use(new LocalStrategy(function(username, password,done){} back in app.js

Leave a Reply