Create a Simple and Secure Node Express App

ramiro · July 24, 2019, 2:46pm

Learn how to secure a simple Node.js and Express app by adding user authentication with Passport.js and Auth0.

Brought to you by @dan-auth0

dan-auth0 · July 24, 2019, 4:05pm

Node.js is both a platform and a topic that I love. Let me know how you like this blog post, what questions you may have, and/or what others topics related to Node you’d like to read. I am here for you!

mattwelke · July 28, 2019, 5:20pm

Nice tutorial. I like seeing the non-JWT side of things. I have a question about sessions though.

I read that Express sessions basically set a cookie with the ID of the session, and then for each subsequent request, the Express middleware you set up will perform a session lookup to attach the session data to the req object, and that’s how the subsequent middleware like your app routes will have access to the logged in user. Since I didn’t see you connect anything like Redis or any database to the session middleware, I’m guessing it’s storing it in memory.

What do you do when you’ve got an app that is horizontally scaled? Perhaps it’s deployed to Heroku, AWS Lambda, or a Kubernetes cluster with pod autoscaling enabled, and once traffic scales up, there will be more than one process that your visitors hit. Can you override the session middleware to store session values in something that each process can access, like Redis?

Edit:

Found the answer after more digging. The readme for the session middleware itself talks about implementing custom session stores and lists popular libraries that are already capable of storing sessions in things like Redis, PostgreSQL, MongoDB, and even the cloud databases like AWS DynamoDB and Google Cloud Firestore. Neat. (GitHub - expressjs/session: Simple session middleware for Express)

johndavemanuel · August 12, 2019, 9:39am

Great tutorial!

I follow all the steps on the blog but is is error saying passport.initialize is not a middleware,

and i see some changes in the code in github in the ENV part that solves the issue

aparralorenzo · August 16, 2019, 4:40pm

@johndavemanuel you need to install passport
npm install passport

dan.woda · August 16, 2019, 6:13pm

Hi @aparralorenzo,

Welcome to the Auth0 Community Forum!

Thanks for helping out on this.

@johndavemanuel Did this solve you problem?

In the future please create a new topic for your problem with a link to the blog/doc. This helps us answer your questions more quickly!

Thanks,
Dan

conor · October 9, 2019, 7:08am

Hi, thanks for the tutorial but I’m not having much success with it.

Even if I git clone the project, npm install and create the relevant .env file, I always end up in a redirect loop when trying to signup/login, irrespective of login type (happens on email/pw too).

It just pingpongs between

https://mydomain.eu.auth0.com/authorize?response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&state=blah&client_id=blah

and

http://localhost:3000/callback?state=blah

This is with Node 10.x latest on Windows 10. Is that config known to work? Any other info I can provide to help debug?

Thanks
Conor

konrad.sopala · October 9, 2019, 10:20am

Hey there @conor!

Thanks for reporting that and providing that context. I’m sure that @dan-auth0 who is the article author will look into it soon and help you troubleshoot that!

dan-auth0 · October 9, 2019, 3:04pm

I am on it. I’ll double check the content again. I don’t have access to Windows but I’ll reproduce the blog post using Linux as you may be able to use the Linux Subsystem in Windows which can give us a common ground

Thank you for your time reading this post!

conor · October 10, 2019, 3:28pm

Thanks Dan. I tried it on OSX today with the same result.

dan-auth0 · October 10, 2019, 8:59pm

I am going to rework some of the post. There are some areas of it that make it difficult to know where to enter new code. Give me till the end of the week and I’ll have it ready. It’s working for me but it was a bit confusing

conor · October 11, 2019, 5:35am

Appreciate it Dan thanks! So should I ignore the github repo for the moment?

dan-auth0 · October 11, 2019, 1:18pm

Please do I was trying the “multi-folder” approach with that repo… haha and I think it’s way too confusing. I"ll be using branches instead

I got the review of the first part done yesterday (code is the same) and I’ll work auditing/restructuring the second part today

dan-auth0 · October 14, 2019, 9:07pm

I haven’t forgotten about you I ended up optimizing some of the content of the first part. I will be working on the second time tomorrow. Thank you again for reading our content

conor · October 15, 2019, 9:10am

Thanks again Dan. I’ll give it a try when you’re done with the second half.

konrad.sopala · October 15, 2019, 9:25am

Thanks a lot for letting us know Conor! Stay tuned!

dan-auth0 · October 18, 2019, 9:27pm

Conor, thank you for your patience. It took longer than expected but here it is:

I rewrote both parts. They are now more independent of each other and I also hope this part is now easier to follow along. Let me know what you think, please

The rewrite of Part 1 should be going live next week.

conor · October 20, 2019, 8:01am

That’s exactly what I needed Dan. Worked perfectly. Thanks again!

konrad.sopala · October 21, 2019, 6:59am

Wooohooo! Perfect to hear that @conor!

jburklund · November 12, 2019, 3:23pm

Thanks for the tutorial! I’m getting an error "ReferenceError: Cannot access ‘session’ before initialization at the line app.use(expressSession(session)); and not sure where I went wrong.