I recently made a post walking through an authentication solution for JWTs. I made a disclaimer at the top of the post recommending people not use the post for production software. Instead, I promised I would walk through Session-based authentication, and I’m finally getting around to it.

Once all steps are completed, you should have your Node app ready for session-based authentication.

Lastly, we will use Postman to validate that the session configuration is appropriately set up and the endpoints are working as expected. A screenshot will be included for this step.

Secondly, we will create a model creating the user and saving it to the MongoDB database VIA mongoose. That will include the ‘ passport-local-mongoose ’ simplifying the username and password authentication. I would recommend looking at how this package works to understand Passport at a deeper level.

First, we will create an app.js file that will include the necessary packages for session creation. We then add that session to the MongoDB Store (The database we use for this tutorial). It will also include the passport setup, which is very straightforward for our case. Lastly, we will include all the project-specific routes. I have kept the code as minimal as possible for the best chance to understand and build it out for your purposes.

This session authentication tutorial demonstrates the fewest steps to implement session-based authentication in your Node.js application.

Step 1: Create App & Add Dependencies

First, let’s create a new Node.js application and check out the packages we will use for this tutorial.

Make a new project directory and create the Node app:

> mkdir user-session-tutorial
> cd user-session-tutorial

> npm init

Note: I set my entry point to app.js

Now let’s add the necessary packages:

npm install --save connect-mongo express express-session mongoose passport passport-local passport-local-mongoose

What is PassportJS? What is Middleware?

PASSPORT

Passport is authentication middleware for Node.js. Extremely flexible and modular, Passport can be unobtrusively dropped into any Express-based web application. Passport supports many different authentication strategies that can be leveraged for straightforward implementation. This tutorial uses the “passport-local” strategy for username and password authentication. Passport supports other strategies like Google OAuth, Twitter, AuthO, and many more. Here is a link to the complete list.

It’s also worth noting that Passport is database agnostic, we are using MongoDB for this tutorial, but any other database type can be used with almost as much ease.

MIDDLEWARE

Middleware is a way to filter a request coming into your application. A middleware component sits between the client and the server, processing inbound requests and outbound responses. In other words, it can manipulate data from the request and response before it gets to the client or server.

Middleware is handy for authentication and authorization, which is why Passport is widely adopted across Express-based applications. The app.js file below will demonstrate how we can implement Passport into a Node.js application.

Step 2: Create an app.js file

It will be good practice to move each of these components into their own files when developing for your purposes, but laying everything out flat here will make it easier to understand.

Step 3: Create a User Model

Again, this user model is leveraging the passport-local-mongoose package to remove the need to handle hashing the password inside our application.

After this model is implemented, all necessary code should be set up, and we will be ready to test our endpoints. Let’s get to it!

Step 4: Make requests VIA Postman:

Register Route: Create a user

The first step for testing our endpoints will be creating a user. Let’s hit the /register route with the correct request body to accomplish this task.

We have successfully created the user. Let’s take a look at our MongoDB instance to ensure we have the document created:

Our app created the user, and the next step is to login.

Login Route: Create the session

If we want access to protected routes, we need to have a valid session created to prove we are who we say we are. Let’s do that now:

Now let’s check MongoDB and check out the created session that will be used to validate the request.

There it is. We have a session we can leverage to access the protected routes. Let’s give it a try.

Profile Route: Protected. Only you can see this.

We have made it to the protected route.

Profile Route: Test Failure

I will delete the session from my MongoDB store to ensure everything is configured correctly. After removing the session, this request should now fail.

After deleting the session, I can no longer log in and view the protected profile route.