How to properly use Passport.js?

Question

I am using :

• Node.js
• Express 4.0
• Passport.js
• Google OAuth 2 for Authentication

For each user, I store in a MySQL DB (

Answer 1

1) serializeUser is filtering the data and storing it in the session cookie. generally store less in the cookie if you can. You are going to call the db for data about the user anyways so you can just store an ID used to retrieve and reconstruct the user, as seen in deserializeUser.

Request coming in the cookie is provided to the server by the client, the server deserializes the cookie into data, either decrypting cookie content or retrieving user data from the db. Then response headed out the server serializes the client data, scraping off things you wouldn't store in the cookie and putting them in the db, just leaving an id in the cookie.

if you are doing encryption then this can easily be screwed up when you want to scale by running multiple machines who each need to be able to decrypt the data (not really hard, but unnecessary complexity)

Having unencrypted data just lying in the cookie isn't the best, and besides anything in the cookie can add that inkling of extra bandwidth usage for the user.

2) The database calls should be very fast, if they aren't you are going to have a suffering user experience elsewhere anyways. In other words, my strong opinion is that there is an overwhelming argument for staying away from cookies.

consider that cookies are sent with each request; it would be smarter to, instead of shoving data into the session and having it add overhead, have the user data load up temporarily (cached) for a bit after the user makes a request, and then have neither database calls nor overhead from the cookie while the user is actively on your site.

honestly you should be fine at first without caching. Focus on getting your app up with minumum complexity. This way you can modify it according to user feedback faster and have fewer mistakes.

3) When I played with passport I had a similar issue. I would let passport do its job and grant passport-level-verification to the user (so yes they are logged in), then do more data collection separately. If you are concerned about security then make this passport-level verification not fully logged in, and require more data before upgrading to fully logged in.

I could be very off the mark with this one, but that's my recommendation.

4) Redis is good for times when you have multiple node instances and want to store something in memory (say a counter, or that cached user data). This way you don't have variables in the node code holding onto cached data about a user, which another node instance can't take advantage of when the user comes back and the load balancer shoots them to a different instance. http://www.ourdailycodes.com/2013/09/redis-when-should-i-use-it.html

EDIT: I should add that session uses a cookie, but only gives the user a unique token the server understands, so that the server can re-gather the user's session data when a connection is received with an accompanying session token. My understanding is that this is the generally correct way for Session to work... but that it varies by implementation (Someone correct me if I am wrong here).

Answer 2

I used node.js This is code from documentation :

passport.serializeUser(function(user, done) {
   done(null, user.id);
});

passport.deserializeUser(function(id, done) {
   User.findById(id, function (err, user) {
        done(err, user);
   });
});

and this is the code, I modified to understand better :

var passport = require ('passport')
passport.serializeUser (function(user, done) {
   done(null, user.id);
});

passport.deserializeUser(function(id, done) {
   var user = _.find(fixtures.users, 'id', id)
       if (user) {
          done (null, user);
       }
       else
          { done (null, false) }
});


module.exports = passport;

In serializeUser, client sending cookie with an 'id'. Here '(user)' argument in serializeUser is user profile and client using only 'id' from user profile to send request to server. done callback passing user.id to server.

In deserializedUser, server will look into database and find the user with that 'id' from serializedUser and return the user profile. I used 'lodash' to use find and remove methods.

var _ = require ('lodash')
var user = _.find(fixtures.users, 'id', id)

find will look for user id and return user profile with that id . More details about lodash is here : lodash . After that I am checking if user exist then return user otherwise return false.

At the end, I am exporting passport.

module.exports = passport;