RESTful API User Authentication with NodeJS

preview_player
Показать описание
In this tutorial I will show you everything you need to implement your own little user authentication server.

Video Courses, Project Templates, Community & the Support you deserve to learn Ionic!

#############################

#############################

You can also find me

#############################
  1. Simon Grimm
  2. Node.js (Software)
  3. Authentication (Website Category)
  4. Representational State Transfer (Internet Protocol)
Рекомендации по теме
RESTful API User 0:31:36

RESTful API User Authentication with NodeJS

API Authentication: JWT, 0:06:12

API Authentication: JWT, OAuth2, and More

Session vs Token 0:02:18

Session vs Token Authentication in 100 Seconds

RESTful API User 0:35:34

RESTful API User Authentication with AngularJS

RESTful APIs in 0:11:20

RESTful APIs in 100 Seconds // Build an API from Scratch with Node.js Express

What Is REST 0:05:21

What Is REST API? Examples And How To Use It: Crash Course System Design #3

Django Rest Framework 0:28:16

Django Rest Framework Authentication 🔒 ✅ Scalable Auth in 27 minutes [2023]

What is a 0:09:12

What is a REST API?

🚀Microservices Marathon: Live 1:34:10

🚀Microservices Marathon: Live Coding with GitHub Codespaces, MicroProfile & Jakarta EE ☁️

WordPress REST API 0:14:34

WordPress REST API Authentication: Application Passwords

Node.js JWT Authentication 0:00:26

Node.js JWT Authentication #authentication #jwt #api #nodejs #tutorial #javascript #coding

JWT as session 0:00:59

JWT as session token || How JWT is used to manage HTTP session?

Login API Method 0:00:20

Login API Method for JWT Authentication #dotnet #dotnetcore

Top 12 Tips 0:09:47

Top 12 Tips For API Security

How to authenticate 0:01:00

How to authenticate REST APIs? || Different methods of authenticating REST APIs

APIs for Beginners 3:07:07

APIs for Beginners - How to use an API (Full Course / Tutorial)

Four Rest API 0:00:16

Four Rest API Authentication Methods Every Software Engineer Must Know.

Advanced JAX-RS 22 0:15:58

Advanced JAX-RS 22 - REST API Authentication Mechanisms

Make your first 0:02:34

Make your first REST API call to ServiceNow (using Postman + Basic Authentication)

The Complete Guide 0:49:47

The Complete Guide To Building A REST API With Node, Express, TypeScript & MongoDB + Authenticat...

Authentication & Authorisation 0:00:16

Authentication & Authorisation in Microservices Short

Build a RESTful 0:10:24

Build a RESTful API with Django: User Authentication and Login/Logout Functionality

What Is A 0:18:38

What Is A RESTful API? Explanation of REST & HTTP

REST API Authentication 0:00:34

REST API Authentication With Refit (explained simply)

Комментарии
Автор

Fantastic tutorial - thank you, Simon! :D

XelleczixTV
Автор

HI Simon, This is great! very simple and clear! Thanks!

BinLiutrianglehomes
Автор

This is awesome Simon !
You helped me a lot at this end.
Thank you so much !

apurvagupta
Автор

Hi Simon, thanks a lot for this. For my internship I am trying to create an app. The app will work with a Tire Pressure Measurement System that I developped earlier ( C & C++).
Never really worked with JS, Angular, Node.JS, MongoDB so you have been a great help. I also followed your other tutorial: How To Handle User Authentication With AngularJS Inside Your Ionic App.

Can't wait till part 2 where we hopefully connect these 2 tutorials together.

RidingArgonaut
Автор

Thanks for this! I think you make a very good overview of the principles in question. Keep it up!

kebman
Автор

Thank you so much for this tutorial! You explained it very well both in this video and in the blog article! Thank you! Keep creating such tutorials! :)

emanuelapogar
Автор

Great tutorial. Made my evening. Thanks :)

RohanBagchi
Автор

Hi Simon,
How are you?

Great tutorial, I must admit!
I like the way you explain everything as you go. Big ups!

Just a side note; as you mentioned in the video, when sending out the token back to the client Application on the front-end...
Even though the password is encrypted and there's almost "NO chance" to extract un-hashed (the EXACT user) password needed for log in from the token (unless some one automagicly come up with the exact same salt you used on the backend to generate the encrypted password, ofc - which is, let's be honest, very close to 0%), I'd still recommend not sending it back to the client on the front-end.

The way I see it, or perhaps how I am used to handling that type of scenarios is as soon as I found the user object in the DB, I just don't send it back to the client APP as is.
Rather, I delete all the unnecessary fields from the object before I send it to the user, in a json formatted response.

There are 2 good reasons behind this approach:
1st one - which, as discussed in the video, is regarding the security;
2nd one - would be so you don't need to handle the information you particularly don't need on the client side.

Most of the time the ID field (of the documents in my DBs) are usernames (since you want those to be unique anyways). So I send only the ID and some other fields (such as firstName and lastName) back to the client Application, for my Angular to consume (no dateCreated, city, state, country, age, phone, e-mail and other fields which are not related to my front-end portion of the Application).
Let's be honest, you probably won't be even showing that to the user most of the time.
Or, perhaps if you're implementing the dashboard, you would probably make a new endpoint API on your server to send back all that extra information, that 99% of the time you probably won't even need.

In this example (the one you showed in the video) I'd just delete both password and ObjectID fields from the user object before sending it back to the client (as explained why, few lines above).

Also, one more thing to point out; if you're building a mobile APP (with Ionic, PhoneGap or Cordova), you probably want to limit the number of fields you're sending back to your client, if you're using
the local storage since it's pretty limited in size (please correct me if I'm wrong!).


* Just a side note:
If you're not familiar with JavaScript and may be wondering about deleting the fields from the object, the way to do it would be:
delete userObj.password;
delete userObj.ObjectID;

If this looks a bit confusing, let me explain.
Those 2 lines of code do NOT delete those field (propertie-value pairs) from the user object inside of your DB, but rather it only deletes those fields from the (user) object you took out from the DB. Once again the document stored in your MongoDB, would not be altered in any way! Think of it as just altering the copy of the document and not the original one in your DB.


Just my two cents on the topic.
Other than that, it's a really great tutorial covering most of the stuff!


P.S.
Also, for someone who does not use PassportJS for Local and JWT strategies (*wink wink*); do you know what does the PassportJS returns back to the client APP, with the Local strategy, once it founds the user? Is it a user object taken from the database matching the query or just a status with some other meta information provided by Passport?
Since I'm used to handling all the authentication and authorization with Username & Password (not including JWT) myself (no library or 3rd party modules).



P.P.S.
Happy New Year Simon!
Best wishes

ognjenjevremovic
Автор

thanks man :)
I had to add given below to make it work... thanks for the video... keep the good work up

ExtractJwt =

var opts = {};
opts.jwtFromRequest = ExtractJwt.fromAuthHeader();

AbstractBit
Автор

Great tutorial! Helped a lot ;) Thanks :)

stanislavmares
Автор

Hi, very helpful tutorial! I really helped me to start.

Just a couple of comments:

Im not sure why you had to do the decode token part inside /menberinfo. The strategy already validates the token and adds the resulting user object to the req that is passed to the route.

Instead of using the fromAuthHeader() in the strategy, you can use the fromHeader(header_name) extractor. It doesn't force you to use that 'JWT + String' schema when creating a token, making that getToken function you did in the video unnecesary

josefd
Автор

This a great tutorial simon appreciate it and i got introduced to the usage of passport with JWT, but i have one doubt, i see that the token that is generated as per this example is constant for ever for a given user, i rather want it to expire in some time .. and a new token is generated if the person is already logged in etc.. are there any thoughts around this?

spotnuru
Автор

Awesome, i would like to thank you for this lecture and i have one question, what different between Node.js authentication and Angular.js authentication and which better to use with Ionic.

abdulazizalghafli
Автор

Very good, but how do you do all this through the front end, with a sign up and login form?

marias
Автор

Should we also call passport.authenticate for each and every request that we add for the routes? I think there should be a better way too.. kindly let us know if you have some time :)

spotnuru
Автор

Thanks, great tutorial. I managed to get this working with Vue by sending http header with vue-resources like so: this.$http.get('users/', { headers: { 'Authorization': token, 'Accept': 'application/json' }}).then(res => { this.users = res.data }).

dusteye
Автор

I think extracting the JWT from the header is the whole point of the passport-jwt strategy. Why are you doing by hand what the strategy is supposed to do?

solaristhesun
Автор

Hi Simon,
it's nice tutorial thanks for the same .
I want to create OTP authentication how to i achieve that please help me out
Thanks
Abhay

abhaysingh
Автор

for some reason my console reads "name: / password: undefined" when I try to post to /signup.

mattturner
Автор

noob question . how does one use this in a real life application..

how the user will send authorization headers?

moto.negro-ren
join shbcf.ru