Authentication in Node.js - #7 Login & Logout

Показать описание

In this video, we are going to implement login and logout functionality in our app. At a high level, the authentication flow goes like this. When the user signs in, we validate their email address and password, match them with a user in our database, create a session in cache, and issue a session cookie. When the user logs out, we destroy the session and unset the cookie. Both routes should be behind guest and auth middleware respectively, since only a guest should be able to log in and only a logged in user can sign out.

One security flaw that we will highlight is the time difference between querying a user document and matching its hash with the password. Our if-conditional will first check if the user document is falsy, and if it is, that is MongoDB couldn't match the email with any existing user, then it will skip the second check and throw an exception early. However, if the email was found, it will compare the user's hash with the given password using bcrypt, and because hashing consumes many CPU cycles, the server would take up more time to respond. The delta is only a few hundred milliseconds, but it's enough for an attacker to infer that that particular email and password combination triggered a separate logical branch.

Рекомендации по теме

Комментарии

Detailed video indeed. I'd also like to point out that, Most of the time, you are just saying what you are typing and not why you are using so and so method etc

santhosh

Wow, the quality level of this video is so high! Thanks

AndersonSilvaMMA

Hey, good work. It would be nice to see you talking about PM2.

MangoDeveloper

very impressive. a few months ago I watched some of your videos and could not follow, you were way too fast. This series is just right, I still need to pause it sometimes to inspect what was done, but this is excellent. maybe finish with a short recap what was done, why ... maybe that would help us remember more. cheers

edmilinski

thank you for this video.
i have a question: why do you check email and password to logout ?
is there a simple way to just "destroy" the user ? by removing his token for example if you use jwt

BaalAsh

Is it necessary to store userId in sessions on registeration?

vigneshpugaz

Hey guy, look more often at the camera and where are the emotions?😄😅

НинаКоваленко-ък

Authentication in Node.js - #7 Login & Logout

Authentication in Node.js - #7 Login & Logout

Sessions in Node #7 | Authentication in Node.js with Express and sessions | secure password login

Build Node.js User Authentication - Password Login

JWT Authentication Tutorial - Node.js

Node Auth Tutorial (JWT) #7 - Hashing Passwords

Building Node.js Authentication from Scratch

How to Authorize User Roles and Permissions | Node.js & Express Authorization Tutorial

Node.js in 7 Days: Authentication in Express Using Passport | packtpub.com

🛠️ MERN Stack Blog Saytı: Final (Bölüm 7)

Nodejs Authentication and Authorization | Middleware in node js #nodejs

Node.js Passport Login System Tutorial

JWT Authentication | Node JS and Express tutorials for Beginners

JWT Authentication in NodeJS

7. JOI Validation Schema to validate request body | Node JS API Authentication

Node.JS REST API Auth using JWTs - Tutorial

Node.js API Authentication With JWT

Build Multi-Factor Authentication Project in Node.js & Express | Passport.js, Speakeasy 2FA Tuto...

User Authentication in Web Apps (Passport.js, Node, Express)

API authentication with node js and jwt malayalam tutorial

Why node.js is the wrong choice for APIs (and what to use instead)

12. Verifyting an Access Token using a middleware | Node JS API Authentication

Demo: Angular 7 + Google Authenticator + Node JS Web App with Two-Factor Authentication

Node JS - Bài 7 : Authentication : Đăng ký, đăng nhập, Token

API Authentication with Node Part #7 - Passport and Strategies