I thought that this question might be better suited to back end section but I wanted to get a general opinion regarding the subject of dealing with frameworks and tools.
OK. I am currently on the Voting app project and it requires me to handle user authentication.I read all that info about sessions and cookie which stores the session ID so as to maintain use sessions.When I searched on net for handling authentication in node,all of them invariably did it using passport module.
Now here is the problem. I learned about the passport without really knowing what it is doing and I don’t like it.I still don’t understand what is the use of passport.I mean I know it is useful for handling authentication but how exactly it is helping me in handling authentication I still don’t know.
We write code this this-
I know express.session creates a session object stored in req.session.But what does passport.initialize() does.Well yeah,it initialized the passport module ;that is inferable from the name itself but does it actually do?What does passport.session() does? This is the first time I am handling user authentication.I actually have the curiosity to know how does all this stuff works.The way all these modules make the whole process look magic annoys me and there exists few or almost none guide which shows how to handle user authentication using express itself without depending on some third party modules.
In my defence, I did read the passport source code and got some of the things that the passport is doing but most of the things still remain unclear.I am feeling totally lost and confused. I don’t really like so much abstraction that programming basically becomes the process of finding modules and then integrating it and tada! . It is good only when you have got enough experience and know everything happening behind the scenes.But when you are new,this is not a good thing in my opinion .
I come from a C/C++ background and before using the libraries containing the various functions like sort() and data structures like list and set,I implemented them beforehand so I knew what these libraries were doing.But with node and the overwhelming list of dependency modules, I am feeling a bit disillusioned. When you are a beginner in a field,how can you use so many modules which do so many things behind your back. and remain oblivious to it.Ignorance is bliss but its dangerous.
Someone please guide me
If you really feel like you have to dig into all the small details of authentication, and do not want to make use of Passport or other authentication libraries, then why don’t you try and implement your own, from scratch?
As you mention you come from C++, have you ever implemented an authentication mechanism in that language? How did it work there?
Presumably, you start with a way to register a user account, then move on to implement a way for those users to log in.
So what happens when they are “logged in”? Presumably you will want to save that logged-in state somewhere? In a webapp, this is usually done by storing an identifier of this user’s authenticated session, somewhere, and you will want the client code to be able to tell the server that it is still logged in, using that saved token from cookie or whatever it may be. Etc etc…
Passport obviously just tries to help you with these things, so you write less code. But nothing keeps you from trying to roll your own authentication mechanism.
I also suspect you may have to understand sessions first, and how session information gets communicated between client and server.
Then, if you’re not sure why Passport integrates with Express, consider reading up on Express Middleware first (because that’s how passport and other libraries integrate with Express to use session details).
So, my advice would be two-fold:
Read up about Sessions, and how various Express middeware libraries can handle sessions.
Experiment writing your own authentication code, so you encounter all the problems Passport helps you to solve.
I am sorry if I am across as a module/framework hater.I assure you that is absolutely not me.But using some tool without properly understanding what’s going on is something which I strongly dislike.
I searched for a lot about how the session management library works in node but most of the results just teach you to use the tool.Not explain how the tool does or what is the whole process in general.
Thankfully few of the results did talk about the ways to tackle the problem.
Thanks for your advice. I will try to build my own session management middleware. I will display it once its done.Really appreciate your help.Have a nice day.
I don’t like to criticize others answers, but I’m sorry… this is terrible advice. Security is not something you should be inventing from scratch, even if you’re already an expert. There are a whole lot of weird wrinkles in any auth scheme, and trial and error is not the ideal way to discover them.
Well I will be building a a really simple authentication system just for the sake of understanding purposes.I won’t be employing it for any big projects.Frameworks and modules are for that purpose.I have been learning about sessions and cookies and it’s wonderful.I don’t really get how can you just copy and paste the code of some other libraries without even remotely knowing about how that library works.I think I now understand what passport said about the persistent session cookie. and what actually do functions in the passport do? I have not yet looked up the implementation.It still is a bit daunting to me.But I have a general idea how it would be functioning.
I wasn’t telling it to use “this new auth system” in production but experiment a bit so he can understand what there’s under-the-hood (also a small (useless) part of what there’s under-the-hood).