0

I am looking for some advice on implementing authentication when the client and the server live in separate projects.

The Server

This API was built as an Express Server. It has routes for CRUD operations with a MySQL database. It also has a user model that utilize bcrypt to encrypt passwords. There is no Frontend, in this project.

The Client

This is a Vue project made with the vue-cli and hits the above API to get the data to display.

The Issue

I need to add authentication. I was thinking I would do this with express-session, but I am a little confused with how exactly it works. All of the tutorials I have seen use express-session in combination with passport. This seems fine, but in all the examples passport forwards to a login page that lives on the server. This is usually written in handlebars or some other templating framework. I am not sure the best way of implementing since the login page lives in the client project.

How I thought it worked (Am I missing something?)

I was originally of the impression that for a new user express-session would create a token that I would save in the users table (maybe generated at login and stored temporarily). Once the user logs in with the correct password this token is passed to the client to be stored as a cookie. When the client wants access to restricted data, it would pass the token as a Authentication header to the server to get permission.

The Questions

  1. Since my projects are separated is passport still useful for my use case?
  2. Is it secure to create the session cookie on the server and send the token to the client as a response to the client's login POST?
  3. Do I need to store the session token in the database?
  4. Is there a better option?
Improve this question

1 Answer 1

Reset to default
1

In my project I have almost the same setup, and I ended up with JWT to generate an access token.

The cycle begins with the user sending his/her email and password to my login endpoint.

In this stage I hash the password using some secret string, fetch the user from database and check if authentication succeed.

After that I generate an access token with an expiring time set, and I expected this access token in all protected routes.

With this approach you can easily implements refresh token to exchange at time to time, saving the refresh token in your database.

This is very simple and Is good to you understand how the process of authentication is done.

jsonwebtoken

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.