Menu
I am looking for a way to use the Twitter strategy for Passport.js without using a sessions collection/table in a database. The reason for this is we save all that data in the sessions collection which can get quite large and we save a database roundtrip whenever a user makes a request because we dont have to go to the DB each time to fetch the session data.
Anyway, we should be able to use a token (JSON Web Token) to authenticate a user, just how this great article describes:
https://scotch.io/tutorials/authenticate-a-node-js-api-with-json-web-tokens
But I am confused why there isn't an easy way to just do this with Passport? (The article does everything without Passport - but surely Passport has this covered?).
Perhaps I am overthinking this and the way to do that is just to omit the calls that I have in Express to use the DB session and then Passport is already smart enough to handle the the JWTs? Somehow I doubt that.
For example, surely it isn't enough to just comment out this code in my Express server:
//app.use(expressSession({
// secret: 'arrete_x_paulette',
// store: new MongoStore({mongooseConnection: mongoose.connection}),
// saveUninitialized: true,
// resave: true,
// cookie: {
// secure: false,
// maxage: 6000000
// },
// proxy: false
//}));
and
//app.use(passport.session());
So what is enough, using Passport?
Why would anyone ever use sessions stored in the DB over using JWT based auth?
789
In this route, passport. authenticate() is middleware which will authenticate the request. By default, when authentication succeeds, the req. user property is set to the authenticated user, a login session is established, and the next function in the stack is called.
js. Passport's sole purpose is to authenticate requests, which it does through an extensible set of plugins known as strategies. Passport does not mount routes or assume any particular database schema, which maximizes flexibility and allows application-level decisions to be made by the developer.
A Passport strategy for authenticating with a JSON Web Token. This module lets you authenticate endpoints using a JSON web token. It is intended to be used to secure RESTful endpoints without sessions.
@Boris Serebrov answer is mostly correct. You probably want to set {session: false} so that sessions aren't stored in memory on the server itself, along with not saving sessions in a database. But there is probably a little more to the story.
One of the reasons why people use a persistent memory store is because this means that if a server restarts, the sessions don't get lost. However, we have been promised stateless JWT token based auth. So if it's stateless, why would it matter if the server restarts? As soon as the server is back up and running, the same token should be valid, no matter the state of the server, right?
I have found, in my brief foray into this, that expressSession will provide sessions that will be lost if the server restarts. This probably motivated people to use persistent sessions using Mongo and Redis, in the first place! But you don't need to do that! I don't see any reason to use persistent sessions stored in DB. You should be using JWTs and stateless auth...so the alternative seems to be cookieSession, another module for Express.
If you use cookieSession like so:
app.use(cookieSession({
name: 'some-cookie',
keys: ['key1', 'key2']
}));
then even if you server restarts, the 'session' remains. This works with your current Passport configuration, as long as you remove the call to store sessions in MongoStore, etc.
https://github.com/expressjs/cookie-session
Please correct me if I am wrong or overlooking something.
190
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With