Stateless Authentication
The server does not store any data or state of the user between requests. It means each request from the client/ User to the server contains all the data needed to authenticate the user.
Some Stateless authentication strategies in ExpressJS are
- Basic Authentication
- Token-Based Authentication
- OAuth Authentication (when implemented with stateless tokens)
A. Basic Authentication
- Basic Authentication is one of the simplest and most widely used auth strategy across the web.
- In express, it involves sending the user’s credentials i.e username, and password with each HTTP request coded in “base64-encoded format”
- Though it is easy to implement, its base64-encoded format can be easily decoded so it is recommended to use this method only when coupled with a secure transport layer such as HTTPS.
- You can use express-basic-auth middleware in Express to implement this authentication method.
Javascript
//app.jsconst express = require("express");const basicAuth = require("express-basic-auth");const app = express();app.use( basicAuth({ users: { username: "password" }, challenge: true, unauthorizedResponse: "Unauthorized access. Please provide valid credentials.", }));app.get("/secure-data", (req, res) => { res.send("This is secure data that requires valid credentials.");});const port = 3000;app.listen(port, () => { console.log(`Server is running on http://localhost:${port}`);}); |
B. Token-Based Authentication:
- It is a more secure and scalable alternative to basic authentication.
- JSON Web Tokens(JWT) are commonly used in Express to implement token-based authentication.
- When the user logs in, the server generates a token containing the user’s information.
- Then the server sends the token to the client in response.
- The client stores the token in the form of a cookie or local storage.
- In the subsequent request, the client includes this token in the header, enabling the server to validate the user.
- The features of token-based auth include expiration time and digital signatures enhancing the security and integrity of the data.
Javascript
//app.jsconst jwt = require("jsonwebtoken");// Generating a tokenconst token = jwt.sign({ userId: "246" }, "secretKey", { expiresIn: "2h" });// Verifying the tokenjwt.verify(token, "secretKey", (err, decoded) => { if (err) { // Token is invalid } else { // Token is valid, and decoded contains user information }}); |
C. OAuth Authentication
- OAuth (Open Authorization) is an industry-standard protocol for authentication.
- OAuth enables users to grant third-party applications limited access to their resources without sharing credentials (passwords).
- In Express JS with the help of Passport.JS, one can integrate OAuth authentication strategies for popular providers such as Google, Twitter, or Facebook.
- OAuth leverages the existing credentials from trusted providers, offering a secure user experience.
Javascript
//app.jsconst passport = require("passport");const GoogleStrategy = require("passport-google-oauth20").Strategy;passport.use( new GoogleStrategy( { clientID: "your-id", clientSecret: "your-secret", callbackURL: "http://app/callback", }, (accessToken, refreshToken, profile, done) => { // Use profile information to create or authenticate a user // Call done(null, user) upon success } ));app.get( "/auth/google", passport.authenticate("google", { scope: ["profile", "email"] }));app.get( "/auth/google/callback", passport.authenticate("google", { successRedirect: "/dashboard", failureRedirect: "/login", })); |
Authentication strategies available in Express
Authentication is an important aspect of web development, which ensures that users accessing an application are who they claim to be. In Express, several authentication strategies are available that help you secure your applications by verifying user identities.
In this article, we will cover the following authentication strategies available in Express
Table of Content
- Stateless Authentication
- Stateful Authentication
Contact Us