1
00:00:03,950 --> 00:00:06,540
In the previous lessons,

2
00:00:06,540 --> 00:00:10,260
we have seen various strategies for user authentication.

3
00:00:10,260 --> 00:00:12,555
We started with basic authentication,

4
00:00:12,555 --> 00:00:16,500
and then moved on to cookies and express sessions

5
00:00:16,500 --> 00:00:20,805
as a way of authenticating and tracking users.

6
00:00:20,805 --> 00:00:24,445
In this lesson we will look at Passport,

7
00:00:24,445 --> 00:00:29,450
a node module that makes authentication quite easy,

8
00:00:29,450 --> 00:00:34,880
unobtrusive, and straightforward to configure in your application.

9
00:00:34,880 --> 00:00:39,125
Passport is nothing but an authentication middleware which supports

10
00:00:39,125 --> 00:00:43,330
various strategies that can be used for user authentication,

11
00:00:43,330 --> 00:00:47,505
including a local strategy like using username and password,

12
00:00:47,505 --> 00:00:54,530
or even third party authentication or using OAuth or OAuth 2.0,

13
00:00:54,530 --> 00:00:57,165
like using Facebook, Twitter,

14
00:00:57,165 --> 00:01:00,515
or Google+, and so on.

15
00:01:00,515 --> 00:01:03,600
We will look at some details about Passport,

16
00:01:03,600 --> 00:01:06,995
the local authentication supported Passport.

17
00:01:06,995 --> 00:01:10,520
And in the exercise that follows,

18
00:01:10,520 --> 00:01:13,970
we will update our application to make use of

19
00:01:13,970 --> 00:01:19,025
Passport and Passport-Local Node modules to enable.

20
00:01:19,025 --> 00:01:23,700
local authentication using username and password.

21
00:01:23,920 --> 00:01:27,670
So, as I stated a little bit earlier,

22
00:01:27,670 --> 00:01:33,185
Passport is a very useful authentication middleware for Node.js applications.

23
00:01:33,185 --> 00:01:36,675
It makes it simpler to implement authentication.

24
00:01:36,675 --> 00:01:39,274
As we have seen in the previous exercises,

25
00:01:39,274 --> 00:01:45,215
authentication involves a lot of repetitive code and repetitive tasks handling errors

26
00:01:45,215 --> 00:01:48,440
and devising ways of checking

27
00:01:48,440 --> 00:01:52,580
the user authentication and then authenticating the user and so on.

28
00:01:52,580 --> 00:01:56,090
All this is simplified within Passport using

29
00:01:56,090 --> 00:02:00,040
various strategies that can be used for authenticating users.

30
00:02:00,040 --> 00:02:04,220
You can use a local strategy for example which is based upon

31
00:02:04,220 --> 00:02:09,440
registering users into your system using a username and password,

32
00:02:09,440 --> 00:02:14,030
and then thereafter authenticating them using the username and password.

33
00:02:14,030 --> 00:02:18,965
Passport also supports OpenID based authentication

34
00:02:18,965 --> 00:02:22,805
or OAuth or OAuth 2.0 based authentication,

35
00:02:22,805 --> 00:02:27,135
as is supported by third party authenticators like Facebook,

36
00:02:27,135 --> 00:02:29,535
Twitter, Google+, and so on.

37
00:02:29,535 --> 00:02:32,465
We can also use what is called as

38
00:02:32,465 --> 00:02:37,880
JSON web tokens as another way of authentication called token-based authentication.

39
00:02:37,880 --> 00:02:42,485
We'll look at token-based authentication in the later part of this lesson.

40
00:02:42,485 --> 00:02:46,465
Also, Passport supports sessions.

41
00:02:46,465 --> 00:02:51,785
As we have seen in the previous exercise and the previous lesson,

42
00:02:51,785 --> 00:02:55,640
express sessions are a easy way of tracking users on

43
00:02:55,640 --> 00:03:01,130
the server side and being able to service incoming requests from clients.

44
00:03:01,130 --> 00:03:03,330
To make use of Passport, of course,

45
00:03:03,330 --> 00:03:05,515
we'll install the Passport module.

46
00:03:05,515 --> 00:03:08,175
We'll also, in the exercise that follows,

47
00:03:08,175 --> 00:03:11,195
install the Passport-Local module for

48
00:03:11,195 --> 00:03:15,060
providing the local strategy for user authentication.

49
00:03:15,060 --> 00:03:19,885
The use of Passport within our application is fairly straight forward.

50
00:03:19,885 --> 00:03:23,500
On the routes on which we want to perform authentication,

51
00:03:23,500 --> 00:03:27,110
we just specify passport authenticate and then specify

52
00:03:27,110 --> 00:03:33,320
the specific authentication strategy that we want to use for the user authentication.

53
00:03:33,320 --> 00:03:34,810
As an example here,

54
00:03:34,810 --> 00:03:36,590
you see that we are applying

55
00:03:36,590 --> 00:03:41,950
a local authentication by saying passport authenticate and local.

56
00:03:41,950 --> 00:03:46,530
And so it uses the local strategy for authenticating the users.

57
00:03:46,530 --> 00:03:49,725
If the authentication is successful,

58
00:03:49,725 --> 00:03:53,870
then the middleware moves on to the next step,

59
00:03:53,870 --> 00:03:57,435
where we can further process the incoming request.

60
00:03:57,435 --> 00:04:03,240
So, upon completion of the successful authentication of the user passport,

61
00:04:03,240 --> 00:04:09,300
Passport itself adds a user property to the request message.

62
00:04:09,300 --> 00:04:15,110
So req.user becomes available for us with the user's information in there,

63
00:04:15,110 --> 00:04:17,960
which we can subsequently use within

64
00:04:17,960 --> 00:04:23,850
our express application to handle the request coming from specific users.

65
00:04:23,850 --> 00:04:30,110
So this easily helps us to identify which client sent the request to

66
00:04:30,110 --> 00:04:32,840
our application and consequently service

67
00:04:32,840 --> 00:04:37,525
the request accordingly based upon the user's identity.

68
00:04:37,525 --> 00:04:40,140
Together with Passport, we will install

69
00:04:40,140 --> 00:04:45,225
another Passport related module called Passport-Local.

70
00:04:45,225 --> 00:04:49,490
Passport-Local supports a strategy called as

71
00:04:49,490 --> 00:04:52,190
the local strategy for authenticating users

72
00:04:52,190 --> 00:04:55,135
with the standard username password combination.

73
00:04:55,135 --> 00:04:58,230
So we set up the user schema,

74
00:04:58,230 --> 00:04:59,540
as we did before,

75
00:04:59,540 --> 00:05:05,030
and then use the user schema or model to track the username and

76
00:05:05,030 --> 00:05:11,240
password and then Passport-Local depends upon that to verify the username and password.

77
00:05:11,240 --> 00:05:12,815
So, to install it again,

78
00:05:12,815 --> 00:05:13,985
being a Node module,

79
00:05:13,985 --> 00:05:19,490
we install it using the standard procedure for installing the Passport-Local Node module.

80
00:05:19,490 --> 00:05:23,075
Once the Passport-Local Node module is installed,

81
00:05:23,075 --> 00:05:30,750
then we need to specify the local strategy and how it is actually used within Passport.

82
00:05:30,750 --> 00:05:33,465
So, to specify a local strategy, we'll say;

83
00:05:33,465 --> 00:05:39,290
passport.use, and so this will allow us to specify the local strategy to use.

84
00:05:39,290 --> 00:05:42,705
So, having installed the Passport-Local,

85
00:05:42,705 --> 00:05:46,900
we will declare a new local strategy and then supply

86
00:05:46,900 --> 00:05:53,725
the corresponding verification function that is used for verifying the user.

87
00:05:53,725 --> 00:05:59,585
If you are using a MongoDB as the back-end store, then,

88
00:05:59,585 --> 00:06:02,660
to help us with Passport-Local strategy,

89
00:06:02,660 --> 00:06:06,045
there is another module called as Passport-Local Mongoose.

90
00:06:06,045 --> 00:06:10,150
The Passport-Local Mongoose module provides

91
00:06:10,150 --> 00:06:15,290
a Mongoose plugin which will simplify the username and password login.

92
00:06:15,290 --> 00:06:19,250
By installing the Passport-Local Mongoose plugin and

93
00:06:19,250 --> 00:06:23,330
then using it when we define the user schema and the model,

94
00:06:23,330 --> 00:06:29,605
and thereby using the support of the Passport-Local Mongoose module,

95
00:06:29,605 --> 00:06:33,995
this mongoose plugin adds in the username and

96
00:06:33,995 --> 00:06:40,080
a encrypted way of storing the password within our user model.

97
00:06:40,080 --> 00:06:43,205
The encryption is done by using hashing

98
00:06:43,205 --> 00:06:47,060
on the password that we use for registering users,

99
00:06:47,060 --> 00:06:50,595
and the hash itself uses a salt field.

100
00:06:50,595 --> 00:06:54,140
So if you know anything about cryptography, in cryptography,

101
00:06:54,140 --> 00:06:57,620
the salt is a random string that is used for performing

102
00:06:57,620 --> 00:07:02,135
the hashing operation on the password for storing.

103
00:07:02,135 --> 00:07:07,590
So the hashed password is itself actually stored in our MongoDB database.

104
00:07:07,590 --> 00:07:09,815
The actual password is not stored.

105
00:07:09,815 --> 00:07:14,420
So, when the user tries to authenticate using the username and password,

106
00:07:14,420 --> 00:07:16,820
the password will be hashed again and then compared with

107
00:07:16,820 --> 00:07:20,490
the hashed passwords stored in our database and this is

108
00:07:20,490 --> 00:07:28,040
all provided by the Mongoose plugin, the Passport-Local Mongoose.

109
00:07:28,040 --> 00:07:32,690
In addition, the Passport-Local Mongoose also adds in additional methods that

110
00:07:32,690 --> 00:07:37,535
are very useful for configuring the Passport-Local strategy.

111
00:07:37,535 --> 00:07:43,095
So within our application when we define the user schema and the model,

112
00:07:43,095 --> 00:07:46,030
we will import the Passport-Local Mongoose and then add

113
00:07:46,030 --> 00:07:49,495
in as the plugin for the user schema.

114
00:07:49,495 --> 00:07:53,000
This Passport-Local Mongoose module automatically

115
00:07:53,000 --> 00:07:56,240
as I said adds the username field and also

116
00:07:56,240 --> 00:08:03,690
a hashed password storage field using a salt value that it uses for doing the hashing,

117
00:08:03,690 --> 00:08:08,240
and also provides additional methods that enable us

118
00:08:08,240 --> 00:08:13,010
to configure our Passport-Local strategy.

119
00:08:13,010 --> 00:08:16,945
If we are using the Passport-Local Mongoose module,

120
00:08:16,945 --> 00:08:19,185
then the local strategy,

121
00:08:19,185 --> 00:08:23,990
the Passport-Local Mongoose plugin supports on

122
00:08:23,990 --> 00:08:30,020
the user model an authenticate method that will automatically do the authentication.

123
00:08:30,020 --> 00:08:35,195
In the earlier slide I had shown you how we would implement the local strategy.

124
00:08:35,195 --> 00:08:39,690
Now this is automatically provided for you by Passport-Local Mongoose

125
00:08:39,690 --> 00:08:44,285
by simply saying new localstrategy user.authenticate.

126
00:08:44,285 --> 00:08:50,730
Then we don't need to explicitly write the authentication code for the local strategy.

127
00:08:50,730 --> 00:08:55,445
Also if you are using sessions that are supported by Passport,

128
00:08:55,445 --> 00:08:58,555
then, for supporting sessions,

129
00:08:58,555 --> 00:09:02,630
the user information needs to be serialized to

130
00:09:02,630 --> 00:09:06,840
be stored with the session information on the server side and then,

131
00:09:06,840 --> 00:09:08,690
when the request comes in,

132
00:09:08,690 --> 00:09:10,140
from the session ID,

133
00:09:10,140 --> 00:09:13,940
the user information needs to be deserialized to extract

134
00:09:13,940 --> 00:09:20,160
the user information from our session information that is stored on the server side.

135
00:09:20,160 --> 00:09:22,145
Now this serialization and

136
00:09:22,145 --> 00:09:27,440
deserialization operation is already supported by Passport-Local Mongoose through

137
00:09:27,440 --> 00:09:29,990
the serialize user and

138
00:09:29,990 --> 00:09:36,480
the deserialize user methods that are available from the Passport-Local Mongoose plugin.

139
00:09:36,480 --> 00:09:38,095
So having seen this,

140
00:09:38,095 --> 00:09:42,680
we will now see in the exercise how easy it is to configure

141
00:09:42,680 --> 00:09:48,120
local strategy for authenticating users using Passport,

142
00:09:48,120 --> 00:09:54,490
Passport-Local, and Passport-Local Mongoose Node modules.