Share
Explore

w24 MADS 4012 Session 9 THU FEB 8 Writing Middleware

Writing middleware for use in Express apps

Learning Outcomes:
Writing middleware in Express.js:
Access to Request and Response Objects:
Middleware functions have access to the request object (req) and the response object (res), allowing them to modify the request and response as needed ​Next Function:
Middleware functions have access to the next function in the application’s request-response cycle, which, when invoked, executes the next middleware in the stack. This allows for the sequential execution of middleware functions ​Error Handling:
Middleware functions can be used for error handling. If a middleware function does not end the request-response cycle, it must call next() to pass control to the next middleware function. Otherwise, the request will be left hanging ​Promise Support:
Starting with Express 5, middleware functions that return a Promise will call next(value) when they reject or throw an error. This allows for better error handling in asynchronous operations
Flexibility and Extensibility:
Express.js provides a variety of built-in and third-party middleware libraries to achieve basic functionalities, allowing developers to create composable web applications by using and creating custom middleware functions
These highlights showcase the power and flexibility of middleware in Express.js, enabling developers to effectively manage the request-response cycle and create robust web applications.

Session 9 Learning Objectives: Authentication and Authorization

- Authentication and Authorization
- What is the difference between authentication and authorization? - **Definition of Authentication**: Process of verifying who a user is.
- **Definition of Authorization**: Process of verifying what a user has access to.
Authentication is about verifying identity, while authorization is about granting access based on that identity.
- What is session based authorization
- How to protect routes using the express-sessions library
- How to setup authentication with MongoAtlas + Mongoose
- Create a user account
- Login to a user account

Learning Guide: Authentication and Authorization


This learning guide is designed to provide a comprehensive understanding of authentication and authorization, their differences, session-based authorization, and practical implementation using Express.js and MongoDB Atlas with Mongoose.
Introduction to Authentication and Authorization
- **Authentication vs. Authorization**:
Authentication is the process of verifying who a user is, while authorization is the process of verifying what they have access to.
**Importance in Security**: Discuss how both processes are crucial in protecting applications and data from unauthorized access.

Understanding Session-Based Authorization

Definition and Workflow:
Session-based authentication as a stateful technique where sessions keep track of authenticated users.

HTTP and Statelessness:

HTTP is stateless - sessions provide a way to maintain state across requests.

Protecting Routes with express-session


Introduction to express-session
Introduce the express-session middleware and its role in managing session data.
Setting Up express-session
Discuss how to configure express-session in an Express.js application, including setting cookie options for security.

Authentication with MongoAtlas and Mongoose

- **MongoDB Atlas Setup**: Explain how to set up a MongoDB Atlas cluster and connect it using Mongoose[4].

User Model Creation:
Creating a user model with Mongoose to store user information.

Lab Activities

Activity 1: Implementing Session-Based Authentication (45 Minutes)

- **Objective**: Implement session-based authentication in a simple Express.js application.

- **Tasks**: 1. Set up an Express.js application. 2. Integrate express-session to manage user sessions. 3. Create login and logout routes to authenticate users.
#### Activity 2: Route Protection (30 Minutes)
- **Objective**: Protect specific routes in an Express.js application using session-based authentication. - **Tasks**: 1. Define a middleware function to check for authenticated sessions. 2. Apply the middleware to routes that require authentication.
#### Activity 3: Authentication with MongoDB Atlas (45 Minutes)
- **Objective**: Implement a user authentication system using MongoDB Atlas and Mongoose. - **Tasks**: 1. Connect to MongoDB Atlas using Mongoose[4]. 2. Create a user schema and model with Mongoose. 3. Implement routes for user registration and login, including password hashing and session management.

Lab Activities
Continue to experiment with different configurations and explore additional middleware for security, such as Helmet for setting various HTTP headers.
Highlight the importance of keeping dependencies up to date and following best practices for security in web applications.
Post-Lab Learning Outcomes:
Solid foundation in authentication and authorization, enabling programmers to implement secure web applications using Express.js and MongoDB.
Citations: [1] https://auth0.com/docs/get-started/identity-fundamentals/authentication-and-authorization [2] https://roadmap.sh/guides/session-based-authentication [3] https://expressjs.com/en/advanced/best-practice-security.html [4] https://stackoverflow.com/questions/43394019/how-to-connect-to-mongodb-atlas-using-mongoose [5] https://www.sailpoint.com/identity-library/difference-between-authentication-and-authorization/ [6] https://www.geeksforgeeks.org/session-vs-token-based-authentication/ [7] https://expressjs.com/en/resources/middleware/session.html [8] https://www.mongodb.com/community/forums/t/how-can-connect-to-mongo-db-authentication-by-node-js/124406 [9] https://www.geeksforgeeks.org/difference-between-authentication-and-authorization/ [10] https://www.authgear.com/post/session-vs-token-authentication [11] https://github.com/expressjs/session/issues/287 [12] https://www.onelogin.com/learn/authentication-vs-authorization [13] https://stackoverflow.com/questions/17769011/how-does-cookie-based-authentication-work [14] https://www.freecodecamp.org/news/express-js-security-tips/ [15] https://www.okta.com/identity-101/authentication-vs-authorization/ [16] https://www.educative.io/answers/session-based-authentication-vs-token-based-authentication [17] https://jscrambler.com/blog/best-practices-for-secure-session-management-in-node [18] https://frontegg.com/blog/authentication-vs-authorization [19] https://dev.to/fidalmathew/session-based-vs-token-based-authentication-which-is-better-227o [20] https://www.workfall.com/learning/blog/how-to-perform-a-session-based-user-authentication-in-express-js/ [21] https://learn.microsoft.com/en-us/entra/identity-platform/authentication-vs-authorization [22] https://youtube.com/watch?v=gKkBEOq_shs [23] https://auth0.com/blog/complete-guide-to-nodejs-express-user-authentication/ [24] https://www.fortinet.com/resources/cyberglossary/authentication-vs-authorization [25] https://www.reddit.com/r/node/comments/bnqdrf/express_how_can_i_restrict_access_to_route_so/
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.