Auth Starter
This is the authentication code I find myself implementing on every project that needs a basic password protected demo or admin site. The flexibility of passport is nice, but for a simple app with few users all you need is something that works with minimal effort.
- Express 3
- Based on passport-local
- Username/password stored in mongodb
- Limit unsuccessful login attempts (3 per minute by default)
- Password hashing
- Users cached in memory to avoid excessive db requests
- Redirection to original url
- Hash preserved in redirection urls
- Default login form provided if not overridden by creating views/login.jshtml
The following routes are added to the app:
- GET /login
- POST /login
- GET /logout
- GET /loginredirect
Installation
npm install authstarter
To create necessary auth related view files, run
node
require("authstarter").setup();
Usage
var partials = require('express-partials');
var AuthStarter = require("authstarter");
var app = express();
app.use(partials());
app.configure(function() {
app.use(express.cookieParser());
app.use(express.session({
secret: 'secret'
}));
app.use(express.bodyParser());
AuthStarter.configure(app);
app.use(app.router);
app.use(express.static(__dirname + '/static'));
app.engine('jshtml', require('jshtml-express'));
app.set('view engine', 'jshtml');
});
app.get('/', AuthStarter.ensureAuthenticated, function(req, res) {
req.send('Secured content');
});
User setup
The user store is a mongodb collection containing documents like:
{
_id: ObjectId("537159a186915c696a000521"),
username: "username",
password: "password",
roles: {
admin: false
}
}
Passwords may be either plain text or hashed in the format used by https://github.com/davidwood/node-password-hash
Users may be created manually or using one of the provided functions that include password hashing.
AuthStarter.addUser("username", "password", {"user": true, "admin":false});
AuthStarter.setPassword(username, password);
Options
var settings = {
mongoUrl: process.env.MONGOHQ_URL,
baseUrl: process.env.SECURE_DOMAIN,
userCollection: process.env.USER_COLLECTION || 'AdminUsers',
hashOptions: {
algorithm: "sha512"
},
maxAttempts: 3,
layout: "blanklayout",
title: "Log In",
customCss: ""
};
AuthStarter.configure(app, settings);
- mongoUrl - a mongodb url as used by mongo-native
- baseUrl - used to make redirects absolute. eg "https://example.com"
- userCollection - name of the mongodb collection
- hashOptions - as used by password-hash
- maxAttempts - number of incorrect login attempts allowed within one minute