Passport Local Configuration (Node + Passport + Express)
Вставка
- Опубліковано 25 лип 2024
- For resources and other information about this video, check out the corresponding post link below at Full Stack Foundations:
- Video Link: www.fullstackfoundations.com/...
-------------------------------------------------------------------------------------
Connect with me:
- Twitter: www.x.com/zg_dev
- Full Stack Foundations: www.fullstackfoundations.com
-------------------------------------------------------------------------------------
Timestamps:
0:00 Intro
3:12 Walkthrough of Express app
14:29 Passport JS documentation
18:51 Configuring the verify callback function
27:55 Using the verify callback in routes
34:29 Defining the username/password crypto functions
45:35 Implementing the register and login routes - Наука та технологія
dropping in to say hi, the Odin project directed me here.
Such an amazing series. The documentation is so shit for passport, they should just link this playlist in their doc. That's the least they can do
The amount of hard work he puts is commendable.
Zach, thanks for taking the time to continue unraveling the "black box" behind passport and alot of it's functions. I am certain your videos will be very useful in the future for companies considering passport for authentication. Thanks again for the incredible content. Looking forward to your next upload!
I can not believe you've given this out for free. The way you baby step each part and make it so easy to understand is amazing. I owe you, I really do. I'm in debt to you friend.
Zach does an excellent job of demystifying the inner workings of a software library that lacks an easy to follow and beginner friendly documentation. It's refreshing to see someone tackle a complex subject and break it down into understandable chunks. Thank you for shedding light on these topics and making it accessible to everyone!
This whole series so far has proven to be extraordinarily helpful, I genuinely respect the hell out of you for taking your time with this and making it so good whilst it still being free and accessible. no idea how you "only" have 5k subs but with this quality of content I cant see a world where you dont blow up in this space on youtube. Most people when they are explaining things at least on youtube just rush thru not really making you understand but you are different by far one of the best teachers I have seen on this platform.
Thanks for the compliment! Means a lot to me and definitely makes me want to keep creating this stuff (for free of course 💪)
I'm in video 5 of 11, and so far this series has taught a WHOLE LOT.
I'm already by far a better programmer before getting halfway done.
zach, i am extremely thankful for making such kind of stuff.
Amazing Zach, thank you. Best express +Passport explanation I saw
I used to listen to some tutorials but Zach Gollwitzer has became my favourite after this series he really explain things in simplified form
The best tutorial about this subject that I have ever seen. Thank you so much man.
I like the fact that you took care of explaining things detailed, like the password verifycation and generation, there is a easier way of doing it but the way you did it makes it clear about how does it work, I really like that becouse I feel like I have more controll about what I'm doing
Zach, I'm very thankful for these videos. :)
Thank you Zach, actually the best tutorial of this subject
The best video series on the topic, thanks very much.
I’ve been reading your article on Medium all week. Didn’t realize there were videos! I need to watch these. Thanks!
Hope you enjoy!
Bro your tutorials are awesome!! , its hard to find something at this level. Thanks!!
I gave you a like simply because you have a starter branch that includes all of the imports so we can start coding ASAP...the first videos have been very informative so thank you very much!
I have never seen such a handsome coder! I think you are a bit like Leonardo. BTW, the way you speak is really gentle.
Amazing work, you have a new fan! Regards from Spain!
Very helpful videos. Thank you!
well done for making an educational video and not just verbalising a boiler plate like most others. This is how you learn development
Thank you for your comment! I always worry that I'm getting too detailed but really try to explain the "why" behind things.
@@zachgoll Some people like the demonstrations and other people like to learn exactly what things do - so they can fix them when they go wrong. You can't please all the people - especially on UA-cam! Just make the videos as you see fit
You sir, deserve a million views. Thanks a whole lot.
what a great explanation !!!!!!! hey buddy you made a difficult thing to so much easy !!!!! awesome TC
This video was super helpful especially considering how much explanation the documentation lacks. Subbed
Awesome. Great tutorial. Keep up the good work.
Super thank you for the efforts, this will definitely help in the interviews.
Outstanding in clarity.
love it
i got some err. IDE cant resolve variable User in this line. "const User = connection.models.User;" -> Unresolved variable User
Good work man!
the most clear and fantastic teaching and presentation. thank you.
Thank you very much helped me a lot! :)
Love this channel!
Awesome video!
Thank you Zach,
I just want to point out you did't mention to change the value of username and password HTML input name attribute.
this dude is like so lovely, amazing job
Dude, thanks for the videos :)
thank you Zach.
Great job buddy
YOU ARE A HERO!
logical clear incredible!
Please do more videos on xpress Zach your videos are really good
beautifully explained ..
You are the best
best explanation.
thanks mate :)
thank you
Thankyou!!!
Do you have a repo of the finished project? That would be really helpful
. your bos and i have the same thinking , the words, declaration etc, is what is already done in my plain text editor
thank you for this tutorial, gonna get started. but one question. can i still follow thru while i use the mongo atlas database?
yes u can
Thank you very much for this. It really taught me how to implement a basic login for an app I am building. I am using postgreSQL and bcrypt and passport with local strategy after watching this series. My question is, how secure is passport with local strategy and express session ?
These strategies are used in tons of production apps, so they are pretty secure. That said, there’s a lot more considerations to make on a security front than just the authentication side of things, but likely aren’t going to apply unless you’re working on a mature project that would be a target of hacking
@@zachgoll Thank you for replying. I am going to look into security more at some point to learn about different types of attacks and how to build defenses for them. For now, I wanted to make sure the authentication part is decently secure and my mind is at ease.
Great tutorial. Just curious why you chose node crypto library vs bcrypt.. Or just a personal preference.
In short, it was mainly to keep things as simple as possible. Most would argue that bcrypt (currently) has a better password hashing algorithm that is more resistant to brute force attacks. That said, NodeJS is a very robust framework and it is definitely in the best interest of the maintainers of the project to keep the Node crypto library secure. For most people watching this video, I don't think the choice will have any profound effects on the outcome of their project.
Why not use passport local mongoose package??
Thanks Zach for your great tutorial. Do you have any idea why in bcrypt we do not save the salt? as far as I know even the salt is a random but at the end you only need to know by how many random bytes the salt is generated and you do not need to know the exact salt value to decrypt it ( please consider that I am talking about the salt and not the hash). Basically if you use bcrypt.hashSync(password, bcrypt.genSaltSync(10), null) without saving the salt, you still could decrypt it with bcrypt.compareSync(password, this.password)
From my understanding, you DO need the exact value of the salt to decrypt. bcrypt stores the salt within the "hash" as opposed to the Node crypto library, which requires them to be passed separately. See this post - stackoverflow.com/a/6832628/7437737
The salt is not meant to be hidden, so it doesn't matter where you store it as long as you can retrieve it when it comes time to decrypt the hash. The reason we have salts in the first place is to prevent a "rainbow table attack", which is basically where an attacker pre-computes the hashes of millions of plaintext passwords and then simply loops through the table to try and brute-force attack a password. If you use a salt, that hacker would need to re-compute that entire table for EACH salt. Computationally, this makes it far too expensive for the hacker to brute force attack a database of passwords.
@@zachgoll Sorry for the late answer Zach. Honesly, in my implementation I did not record salt in db and still I could decrypt it with compareSync. But as I wrote the codes long time ago I need to double check it and back to you. Still thanks for your effort to clear passport mess!
@@zachgoll I thought that salt was meant for the case where a hacker (or even developer) has gotten access to hashed passwords.
In case of bcrypt, this hacker will not have access to salt - because its generated, never stored. The salt can be easily removed from de-crypted string - because its of fixed length - you don't need to know it (I think).
BUT the hacker will need the salt for "rainbow table attack" - things won't match otherwise - he has to compare the resulting hash.
SO after this, even a developer who has access to password hash will not be able to match the hashes to the ones from a "rainbow table" even if the original password matches.
Am I right?
it gives error cant read property hash of undefined. though I have followed the code. it gives error at signup method
Change the name of form fields 'username' to 'uname' and 'password' to 'pw'
@@ShubhamPalriwala thank you
Bro plz provide entire code also in github repository love from INDIA
speedx1.5 *perfect
thank you, but i faced an issue when submitting the password bcz the password data type in the schema is string, but in the input type is password, so an error of unrelated dataTypes occured to me i fixed it by changing the input to string type but now its exposed when typing is it correct ?
i fixed it i just had to drop the collection and regenerate it no problem now thank you
What happens to session object when cookie storing its sessionId is expired ? does it remain stored in the database or it gets deleted from it automatically ?
Would you mind telling me the time stamp of the video you are asking about? Would love to help but I made this video a while ago and can’t remember
session record gets deleted from db automatically when cookie gets expired
I really don't know why customFields are not working for me. I still keep getting the same value as defined on the input tag? I had to work around it by extracting the keys from req.body with Object.keys(). Does anyone have any idea why? Is it possible that a library we're using has been updated in some way and they failed to document the change, and now we're left here melting our brains with useless things.
Did you figure this out? Mine also didn't work and I had to have verifyCalback as a function not a variable
@@jefferiushere2k7 the name field on username and password inputs need to be "pw" and "uname" for those to work.
46:00
He said "pass the salt"
sha512 no please, use bycrypt instead
While I’m not disagreeing, what is your reasoning for this?
@@zachgoll I think it is way better to use a key stretching algo such as bycrypt. Couldn't explain it better than this post why SHA512 has some flaws compared to bycrypt dusted.codes/sha-256-is-not-a-secure-password-hashing-algorithm
PS: loving your introduction to passport videos, keep it up ! :D
@@mateogomez-randulfe7394 nice! Thanks for the resource. I think the consensus among the developer community is definitely bcrypt, but I wanted to show that it was possible (and probably okay for most smaller apps) using Node alone
giving me a error , cannot create property 'generate' of string 'sessionStore'
EDIT: Opps my bad was passing variable as a string lol such a stupid mistake
Why cant you use ajax ? teach node with ajax and when it comes to passport no more ajax... this is crazy
if I do all of that manually, wtf is the job of passport-local LOL